Problems Cloning PFM01K to Magic 7-Byte Or Gen4 Ultimate Card

Appellus · March 5, 2023, 12:21am

This is a follow up post to my earlier one looking to clone my apartment FOB since its a puck and used for everything from apartment entry to elevator to car garage. It’s one of these PFM01K’s, which look like glorified Mifare Classic 1K’s with a 7-byte UID. Earlier this week I had a shipment of some Magic 1K 7-bytes UID, Magic 4K 7-Byte UID, and 2 of the new Gen4 Ultimate Magic ones. I thought it would be a straight UID clone, but it appears to be more complex than that.

First off, here’s the original fob’s info, with dumped keys:

[=] hf search
[-] Searching for ISO14443-A tag...
[+]  UID: 04 4E ED D2 74 72 81
[+] ATQA: 00 44
[+]  SAK: 08 [2]
[+] MANUFACTURER: NXP Semiconductors Germany
[+] Possible types:
[+]    MIFARE Classic 1K CL2
[=] proprietary non iso14443-4 card found, RATS not supported
[+] Prng detection: hard
[=]
[=] --- Tag Signature
[=]  IC signature public key name: NXP Mifare Classic MFC1C14_x
[=] IC signature public key value: 044F6D3F294DEA5737F0F46FFEE88A356EED95695DD7E0C27A591E6F6F65962BAF
[=]     Elliptic curve parameters: NID_secp128r1
[=]              TAG IC Signature: 57DCFA81E98AC4F031B3140DEB8563F9BE5830F6AC6EAE8742B9D264D2569528
[+]        Signature verification: successful
[?] Hint: try `hf mf` commands


[+] Valid ISO 14443-A tag found

[usb] pm3 --> hf mf autopwn
[=] MIFARE Classic EV1 card detected
[=] target sector  17 key type B -- using valid key [ 4B 79 1B EA 7B CC ] (used for nested / hardnested attack)
[+] loaded 45 keys from hardcoded default array
[=] running strategy 1
[=] ..
[=] Chunk 5.3s | found 22/36 keys (45)
[=] running strategy 2
[=] ...
[=] Chunk 6.8s | found 22/36 keys (45)
[+] target sector   0 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector   0 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector   1 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector   1 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector   2 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector   2 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector   3 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector   3 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector   4 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector   4 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector   5 key type A -- found valid key [ 6A1987C40A21 ]
[+] target sector   6 key type A -- found valid key [ 6A1987C40A21 ]
[+] target sector   7 key type A -- found valid key [ 6A1987C40A21 ]
[+] target sector   8 key type A -- found valid key [ 6A1987C40A21 ]
[+] target sector   9 key type A -- found valid key [ 6A1987C40A21 ]
[+] target sector  10 key type A -- found valid key [ 6A1987C40A21 ]
[+] target sector  11 key type A -- found valid key [ 6A1987C40A21 ]
[+] target sector  12 key type A -- found valid key [ 6A1987C40A21 ]
[+] target sector  13 key type A -- found valid key [ 6A1987C40A21 ]
[+] target sector  14 key type A -- found valid key [ 6A1987C40A21 ]
[+] target sector  15 key type A -- found valid key [ 6A1987C40A21 ]
[=] Hardnested attack starting...
[=] ---------+---------+---------------------------------------------------------+-----------------+-------
[=]          |         |                                                         | Expected to brute force
[=]  Time    | #nonces | Activity                                                | #states         | time
[=] ---------+---------+---------------------------------------------------------+-----------------+-------
[=]        0 |       0 | Start using 16 threads and AVX2 SIMD core               |                 |
[=]        0 |       0 | Brute force benchmark: 1613 million (2^30.6) keys/s     | 140737488355328 |   24h
[=]        6 |       0 | Using 235 precalculated bitflip state tables            | 140737488355328 |   24h
[#] AcquireEncryptedNonces finished
[=]        9 |     112 | Apply bit flip properties                               |    723065044992 |  7min
[#] AcquireEncryptedNonces finished
[#] AcquireEncryptedNonces finished
[=]       11 |     224 | Apply bit flip properties                               |    374605742080 |  4min
[#] AcquireEncryptedNonces finished
[=]       12 |     336 | Apply bit flip properties                               |    373583380480 |  4min
[#] AcquireEncryptedNonces finished
[=]       13 |     448 | Apply bit flip properties                               |    372561018880 |  4min
[=]       14 |     558 | Apply bit flip properties                               |    372024573952 |  4min
[#] AcquireEncryptedNonces finished
[=]       14 |     668 | Apply bit flip properties                               |    372024573952 |  4min
[#] AcquireEncryptedNonces finished
[=]       15 |     777 | Apply bit flip properties                               |    372024573952 |  4min
[#] AcquireEncryptedNonces finished
[=]       16 |     887 | Apply bit flip properties                               |    372024573952 |  4min
[#] AcquireEncryptedNonces finished
[=]       17 |     997 | Apply bit flip properties                               |    372024573952 |  4min
[#] AcquireEncryptedNonces finished
[=]       18 |    1108 | Apply bit flip properties                               |    372024573952 |  4min
[#] AcquireEncryptedNonces finished
[=]       19 |    1219 | Apply bit flip properties                               |    372024573952 |  4min
[#] AcquireEncryptedNonces finished
[=]       20 |    1330 | Apply bit flip properties                               |    372024573952 |  4min
[#] AcquireEncryptedNonces finished
[#] AcquireEncryptedNonces finished
[=]       22 |    1440 | Apply Sum property. Sum(a0) = 128                       |     34853875712 |   22s
[=]       22 |    1550 | Apply bit flip properties                               |     17286682624 |   11s
[#] AcquireEncryptedNonces finished
[=]       23 |    1659 | Apply bit flip properties                               |     17286682624 |   11s
[#] AcquireEncryptedNonces finished
[=]       24 |    1770 | Apply bit flip properties                               |     17286682624 |   11s
[#] AcquireEncryptedNonces finished
[=]       25 |    1878 | Apply bit flip properties                               |     17286682624 |   11s
[#] AcquireEncryptedNonces finished
[=]       26 |    1878 | (1. guess: Sum(a8) = 256)                               |     17286682624 |   11s
[=]       27 |    1878 | Apply Sum(a8) and all bytes bitflip properties          |     17024865280 |   11s
[=]       27 |    1878 | (2. guess: Sum(a8) = 224)                               |     59371520000 |   37s
[=]       27 |    1878 | Apply Sum(a8) and all bytes bitflip properties          |     58800656384 |   36s
[=]       27 |    1878 | Brute force phase completed.  Key found: 7F33625BC129   |               0 |    0s
[+] target sector   5 key type B -- found valid key [ 7F33625BC129 ]
[+] target sector   6 key type B -- found valid key [ 7F33625BC129 ]
[+] target sector   7 key type B -- found valid key [ 7F33625BC129 ]
[+] target sector   8 key type B -- found valid key [ 7F33625BC129 ]
[+] target sector   9 key type B -- found valid key [ 7F33625BC129 ]
[+] target sector  10 key type B -- found valid key [ 7F33625BC129 ]
[+] target sector  11 key type B -- found valid key [ 7F33625BC129 ]
[+] target sector  12 key type B -- found valid key [ 7F33625BC129 ]
[+] target sector  13 key type B -- found valid key [ 7F33625BC129 ]
[+] target sector  14 key type B -- found valid key [ 7F33625BC129 ]
[+] target sector  15 key type B -- found valid key [ 7F33625BC129 ]
[#] Cmd Error 04
[#] Read block error
[=] Hardnested attack starting...
[=] ---------+---------+---------------------------------------------------------+-----------------+-------
[=]          |         |                                                         | Expected to brute force
[=]  Time    | #nonces | Activity                                                | #states         | time
[=] ---------+---------+---------------------------------------------------------+-----------------+-------
[=]        0 |       0 | Start using 16 threads and AVX2 SIMD core               |                 |
[=]        0 |       0 | Brute force benchmark: 1362 million (2^30.3) keys/s     | 140737488355328 |   29h
[=]        6 |       0 | Using 235 precalculated bitflip state tables            | 140737488355328 |   29h
[#] AcquireEncryptedNonces finished
[=]        9 |     112 | Apply bit flip properties                               |      7693851648 |    6s
[#] AcquireEncryptedNonces finished
[#] AcquireEncryptedNonces finished
[=]       10 |     224 | Apply bit flip properties                               |      1638654592 |    1s
[#] AcquireEncryptedNonces finished
[=]       11 |     336 | Apply bit flip properties                               |      1251086464 |    1s
[#] AcquireEncryptedNonces finished
[=]       12 |     448 | Apply bit flip properties                               |      1008151808 |    1s
[=]       13 |     560 | Apply bit flip properties                               |       975424832 |    1s
[#] AcquireEncryptedNonces finished
[=]       14 |     670 | Apply bit flip properties                               |       712448128 |    1s
[#] AcquireEncryptedNonces finished
[=]       15 |     780 | Apply bit flip properties                               |       712448128 |    1s
[#] AcquireEncryptedNonces finished
[=]       16 |     889 | Apply bit flip properties                               |       712448128 |    1s
[#] AcquireEncryptedNonces finished
[=]       16 |    1001 | Apply bit flip properties                               |       712448128 |    1s
[#] AcquireEncryptedNonces finished
[=]       17 |    1112 | Apply bit flip properties                               |       712448128 |    1s
[#] AcquireEncryptedNonces finished
[=]       18 |    1219 | Apply bit flip properties                               |       712448128 |    1s
[#] AcquireEncryptedNonces finished
[=]       19 |    1325 | Apply bit flip properties                               |       712448128 |    1s
[#] AcquireEncryptedNonces finished
[=]       20 |    1436 | Apply bit flip properties                               |       712448128 |    1s
[#] AcquireEncryptedNonces finished
[=]       21 |    1547 | Apply bit flip properties                               |       712448128 |    1s
[#] AcquireEncryptedNonces finished
[=]       23 |    1656 | Apply Sum property. Sum(a0) = 120                       |       121225600 |    0s
[#] AcquireEncryptedNonces finished
[=]       23 |    1656 | (Ignoring Sum(a8) properties)                           |       121225600 |    0s
[=]       25 |    1656 | Brute force phase completed.  Key found: D01AFEEB890A   |               0 |    0s
[+] target sector  16 key type B -- found valid key [ D01AFEEB890A ]

[+] found keys:

[+] -----+-----+--------------+---+--------------+----
[+]  Sec | Blk | key A        |res| key B        |res
[+] -----+-----+--------------+---+--------------+----
[+]  000 | 003 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  001 | 007 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  002 | 011 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  003 | 015 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  004 | 019 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  005 | 023 | 6A1987C40A21 | D | 7F33625BC129 | H
[+]  006 | 027 | 6A1987C40A21 | D | 7F33625BC129 | R
[+]  007 | 031 | 6A1987C40A21 | D | 7F33625BC129 | R
[+]  008 | 035 | 6A1987C40A21 | D | 7F33625BC129 | R
[+]  009 | 039 | 6A1987C40A21 | D | 7F33625BC129 | R
[+]  010 | 043 | 6A1987C40A21 | D | 7F33625BC129 | R
[+]  011 | 047 | 6A1987C40A21 | D | 7F33625BC129 | R
[+]  012 | 051 | 6A1987C40A21 | D | 7F33625BC129 | R
[+]  013 | 055 | 6A1987C40A21 | D | 7F33625BC129 | R
[+]  014 | 059 | 6A1987C40A21 | D | 7F33625BC129 | R
[+]  015 | 063 | 6A1987C40A21 | D | 7F33625BC129 | R
[+]  016 | 067 | 5C8FF9990DA2 | D | D01AFEEB890A | H
[+]  017 | 071 | 5C8FF9990DA2 | D | 4B791BEA7BCC | U
[+] -----+-----+--------------+---+--------------+----
[=] ( D:Dictionary / S:darkSide / U:User / R:Reused / N:Nested / H:Hardnested / C:statiCnested / A:keyA  )


[=] FILE PATH:  hf-mf-044EEDD2747281-key.bin
[+] Generating binary key file
[+] Found keys have been dumped to hf-mf-044EEDD2747281-key.bin
[=] FYI! --> 0xFFFFFFFFFFFF <-- has been inserted for unknown keys where res is 0
[+] transferring keys to simulator memory (Cmd Error: 04 can occur)
[#] Cmd Error 04
[#] wrong response len 0 (expected 18)
[#] wrong response len 0 (expected 18)
[#] wrong response len 0 (expected 18)
[=] fast dump reported back failure w KEY A,  swapping to KEY B
[#] Cmd Error 04
[#] wrong response len 0 (expected 18)
[#] wrong response len 0 (expected 18)
[#] wrong response len 0 (expected 18)
[=] fast dump reported back failure w KEY B
[=] Dump file is PARTIAL complete
[=] downloading the card content from emulator memory
[=] FILE PATH:  hf-mf-044EEDD2747281-dump.bin
[+] saved 1024 bytes to binary file hf-mf-044EEDD2747281-dump.bin
[=] FILE PATH:  hf-mf-044EEDD2747281-dump.eml
[+] saved 64 blocks to text file hf-mf-044EEDD2747281-dump.eml
[=] FILE PATH:  hf-mf-044EEDD2747281-dump.json
[+] saved to json file hf-mf-044EEDD2747281-dump.json
[=] autopwn execution time: 72 seconds

SALTO Keys and Dump.zip (2.2 KB)

So it looks like we got all the keys and a good dump. Problem now is getting it onto a card. I initially tried cloning the UID to both the 1K and 4K cards, which worked but the card reader refused them.

1K:

[usb] pm3 --> hf search
[/] Searching for ISO14443-A tag...
[+]  UID: 04 4E ED D2 74 72 81
[+] ATQA: 00 42
[+]  SAK: 18 [2]
[+] MANUFACTURER: NXP Semiconductors Germany
[+] Possible types:
[+]    MIFARE Classic 4K CL2
[=] proprietary non iso14443-4 card found, RATS not supported
[+] Magic capabilities : possibly Gen 3 / APDU
[+] Prng detection: weak
[#] Auth error
[?] Hint: try `hf mf` commands


[+] Valid ISO 14443-A tag found

[usb] pm3 --> hf mf gen3uid -u 044EEDD2747281
[+] Old UID... 04 12 19 C3 CC 98 02
[+] New UID... 04 4E ED D2 74 72 81
[usb] pm3 --> hf search
[|] Searching for ISO14443-A tag...
[+]  UID: 04 4E ED D2 74 72 81
[+] ATQA: 00 44
[+]  SAK: 08 [2]
[+] MANUFACTURER: NXP Semiconductors Germany
[+] Possible types:
[+]    MIFARE Classic 1K CL2
[=] proprietary non iso14443-4 card found, RATS not supported
[+] Magic capabilities : possibly Gen 3 / APDU
[#] Auth error
[?] Hint: try `hf mf` commands


[+] Valid ISO 14443-A tag found

4K:

[usb] pm3 --> hf mf gen3uid -u 044EEDD2747281
[+] Old UID... 04 12 19 C3 21 93 16
[+] New UID... 04 4E ED D2 74 72 81

[usb] pm3 --> hf search
[/] Searching for ISO14443-A tag...
[+]  UID: 04 4E ED D2 74 72 81
[+] ATQA: 00 42
[+]  SAK: 18 [2]
[+] MANUFACTURER: NXP Semiconductors Germany
[+] Possible types:
[+]    MIFARE Classic 4K CL2
[=] proprietary non iso14443-4 card found, RATS not supported
[+] Magic capabilities : possibly Gen 3 / APDU
[+] Prng detection: weak
[#] Auth error
[?] Hint: try `hf mf` commands


[+] Valid ISO 14443-A tag found

Appellus · March 5, 2023, 12:21am

After just the UID clone failed, I tried the script run hf_mf_gen3_writer, which I ran using the above keys and dump:

[usb] pm3 --> script run hf_mf_gen3_writer
[+] executing lua D:\ProxSpace\pm3\proxmark3\client\luascripts\hf_mf_gen3_writer.lua
[+] args ''
Waiting for card... press Enter to quit
----------------------------------------------------------------
 Are you use a Windwos OS ? [y/n] ?n
----------------------------------------------------------------
 1 | 044EEDD2747281
----------------------------------------------------------------
 Your card has UID 044EEDD2747281

 Select which dump to write (1 until 1)
----------------------------------------------------------------
 --> 1
----------------------------------------------------------------
 You have been selected card dump No 1, with UID: 044EEDD2747281. Your card UID: 044EEDD2747281
----------------------------------------------------------------
 Change UID ? [y/n] ?y
Waiting for card... press Enter to quit
[←[32m+←[0m] 90 00 [ ←[32mFD 07←[0m ]
----------------------------------------------------------------
 The new card UID : 044EEDD2747281
----------------------------------------------------------------
 Permanent lock UID ? (card can never change uid again)  [y/n] ?n
----------------------------------------------------------------
 Going to check the all KeyB by FFFFFFFFFFFF
----------------------------------------------------------------
[←[34m#←[0m] Cmd Error 04
[←[34m#←[0m] Read block error
----------------------------------------------------------------
 It this is a new blank card ? Do you wishing to change Access Conditions to using B key FFFFFFFFFFFF as main ? [y/n] ?n
----------------------------------------------------------------
 Write selected dump to card ? [y/n] ?y
----------------------------------------------------------------
Waiting for card... press Enter to quit

[←[33m=←[0m] Targeting Sector 0 / Block 0 - Manufacturer block
[←[33m=←[0m] Read the helptext for details before writing to this block
[←[33m=←[0m] You must use param `←[33m--force←[0m` to write to this block

[←[33m=←[0m] Writing block no 1, key B - FFFFFFFFFFFF
[←[33m=←[0m] data: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[←[34m#←[0m] Cmd Error: 04
[←[34m#←[0m] Write block error
[←[31m-←[0m] Write ( ←[31mfail←[0m )
[←[33m?←[0m] Maybe access rights? Try specify keytype `←[33mhf mf wrbl -a ...←[0m` instead
[←[33m=←[0m] Writing block no 2, key B - FFFFFFFFFFFF
[←[33m=←[0m] data: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[←[34m#←[0m] Cmd Error: 04
[←[34m#←[0m] Write block error
[←[31m-←[0m] Write ( ←[31mfail←[0m )
[←[33m?←[0m] Maybe access rights? Try specify keytype `←[33mhf mf wrbl -a ...←[0m` instead
[←[33m=←[0m] Writing block no 3, key B - FFFFFFFFFFFF
[←[33m=←[0m] data: FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF
[←[34m#←[0m] Cmd Error: 04
[←[34m#←[0m] Write block error
[←[31m-←[0m] Write ( ←[31mfail←[0m )
[←[33m?←[0m] Maybe access rights? Try specify keytype `←[33mhf mf wrbl -a ...←[0m` instead
[←[33m=←[0m] Writing block no 4, key B - FFFFFFFFFFFF
[←[33m=←[0m] data: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[←[34m#←[0m] Cmd Error: 04
[←[34m#←[0m] Write block error
[←[31m-←[0m] Write ( ←[31mfail←[0m )
[←[33m?←[0m] Maybe access rights? Try specify keytype `←[33mhf mf wrbl -a ...←[0m` instead
[←[33m=←[0m] Writing block no 5, key B - FFFFFFFFFFFF
[←[33m=←[0m] data: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[←[34m#←[0m] Cmd Error: 04
[←[34m#←[0m] Write block error
[←[31m-←[0m] Write ( ←[31mfail←[0m )
[←[33m?←[0m] Maybe access rights? Try specify keytype `←[33mhf mf wrbl -a ...←[0m` instead
[←[33m=←[0m] Writing block no 6, key B - FFFFFFFFFFFF
[←[33m=←[0m] data: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[←[34m#←[0m] Cmd Error: 04
[←[34m#←[0m] Write block error
[←[31m-←[0m] Write ( ←[31mfail←[0m )
[←[33m?←[0m] Maybe access rights? Try specify keytype `←[33mhf mf wrbl -a ...←[0m` instead
[←[33m=←[0m] Writing block no 7, key B - FFFFFFFFFFFF
[←[33m=←[0m] data: FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF
[←[34m#←[0m] Cmd Error: 04
[←[34m#←[0m] Write block error
[←[31m-←[0m] Write ( ←[31mfail←[0m )
[←[33m?←[0m] Maybe access rights? Try specify keytype `←[33mhf mf wrbl -a ...←[0m` instead
[←[33m=←[0m] Writing block no 8, key B - FFFFFFFFFFFF
[←[33m=←[0m] data: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[←[34m#←[0m] Cmd Error: 04
[←[34m#←[0m] Write block error
[←[31m-←[0m] Write ( ←[31mfail←[0m )
[←[33m?←[0m] Maybe access rights? Try specify keytype `←[33mhf mf wrbl -a ...←[0m` instead
[←[33m=←[0m] Writing block no 9, key B - FFFFFFFFFFFF
[←[33m=←[0m] data: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[←[34m#←[0m] Cmd Error: 04
[←[34m#←[0m] Write block error
[←[31m-←[0m] Write ( ←[31mfail←[0m )
[←[33m?←[0m] Maybe access rights? Try specify keytype `←[33mhf mf wrbl -a ...←[0m` instead
[←[33m=←[0m] Writing block no 10, key B - FFFFFFFFFFFF
[←[33m=←[0m] data: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[←[34m#←[0m] Cmd Error: 04
[←[34m#←[0m] Write block error
[←[31m-←[0m] Write ( ←[31mfail←[0m )
[←[33m?←[0m] Maybe access rights? Try specify keytype `←[33mhf mf wrbl -a ...←[0m` instead
[←[33m=←[0m] Writing block no 11, key B - FFFFFFFFFFFF
[←[33m=←[0m] data: FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF
[←[34m#←[0m] Cmd Error: 04
[←[34m#←[0m] Write block error
[←[31m-←[0m] Write ( ←[31mfail←[0m )
[←[33m?←[0m] Maybe access rights? Try specify keytype `←[33mhf mf wrbl -a ...←[0m` instead
[←[33m=←[0m] Writing block no 12, key B - FFFFFFFFFFFF
[←[33m=←[0m] data: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[←[34m#←[0m] Cmd Error: 04
[←[34m#←[0m] Write block error
[←[31m-←[0m] Write ( ←[31mfail←[0m )
[←[33m?←[0m] Maybe access rights? Try specify keytype `←[33mhf mf wrbl -a ...←[0m` instead
[←[33m=←[0m] Writing block no 13, key B - FFFFFFFFFFFF
[←[33m=←[0m] data: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[←[34m#←[0m] Cmd Error: 04
[←[34m#←[0m] Write block error
[←[31m-←[0m] Write ( ←[31mfail←[0m )
[←[33m?←[0m] Maybe access rights? Try specify keytype `←[33mhf mf wrbl -a ...←[0m` instead
[←[33m=←[0m] Writing block no 14, key B - FFFFFFFFFFFF
[←[33m=←[0m] data: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[←[34m#←[0m] Cmd Error: 04
[←[34m#←[0m] Write block error
[←[31m-←[0m] Write ( ←[31mfail←[0m )
[←[33m?←[0m] Maybe access rights? Try specify keytype `←[33mhf mf wrbl -a ...←[0m` instead
[←[33m=←[0m] Writing block no 15, key B - FFFFFFFFFFFF
[←[33m=←[0m] data: FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF
[←[34m#←[0m] Cmd Error: 04
[←[34m#←[0m] Write block error
[←[31m-←[0m] Write ( ←[31mfail←[0m )
[←[33m?←[0m] Maybe access rights? Try specify keytype `←[33mhf mf wrbl -a ...←[0m` instead
[←[33m=←[0m] Writing block no 16, key B - FFFFFFFFFFFF
[←[33m=←[0m] data: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[←[34m#←[0m] Cmd Error: 04
[←[34m#←[0m] Write block error
[←[31m-←[0m] Write ( ←[31mfail←[0m )
[←[33m?←[0m] Maybe access rights? Try specify keytype `←[33mhf mf wrbl -a ...←[0m` instead
[←[33m=←[0m] Writing block no 17, key B - FFFFFFFFFFFF
[←[33m=←[0m] data: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[←[34m#←[0m] Cmd Error: 04
[←[34m#←[0m] Write block error
[←[31m-←[0m] Write ( ←[31mfail←[0m )
[←[33m?←[0m] Maybe access rights? Try specify keytype `←[33mhf mf wrbl -a ...←[0m` instead
[←[33m=←[0m] Writing block no 18, key B - FFFFFFFFFFFF
[←[33m=←[0m] data: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[←[34m#←[0m] Cmd Error: 04
[←[34m#←[0m] Write block error
[←[31m-←[0m] Write ( ←[31mfail←[0m )
[←[33m?←[0m] Maybe access rights? Try specify keytype `←[33mhf mf wrbl -a ...←[0m` instead
[←[33m=←[0m] Writing block no 19, key B - FFFFFFFFFFFF
[←[33m=←[0m] data: FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF
[←[34m#←[0m] Cmd Error: 04
[←[34m#←[0m] Write block error
[←[31m-←[0m] Write ( ←[31mfail←[0m )
[←[33m?←[0m] Maybe access rights? Try specify keytype `←[33mhf mf wrbl -a ...←[0m` instead
[←[33m=←[0m] Writing block no 20, key B - 7F33625BC129
[←[33m=←[0m] data: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[←[34m#←[0m] Auth error
[←[31m-←[0m] Write ( ←[31mfail←[0m )
[←[33m?←[0m] Maybe access rights? Try specify keytype `←[33mhf mf wrbl -a ...←[0m` instead
[←[33m=←[0m] Writing block no 21, key B - 7F33625BC129
[←[33m=←[0m] data: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[←[34m#←[0m] Auth error
[←[31m-←[0m] Write ( ←[31mfail←[0m )
[←[33m?←[0m] Maybe access rights? Try specify keytype `←[33mhf mf wrbl -a ...←[0m` instead
[←[33m=←[0m] Writing block no 22, key B - 7F33625BC129
[←[33m=←[0m] data: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[←[34m#←[0m] Auth error
[←[31m-←[0m] Write ( ←[31mfail←[0m )
[←[33m?←[0m] Maybe access rights? Try specify keytype `←[33mhf mf wrbl -a ...←[0m` instead
[←[33m=←[0m] Writing block no 23, key B - 7F33625BC129
[←[33m=←[0m] data: 6A 19 87 C4 0A 21 F7 8F 00 5A 7F 33 62 5B C1 29
[←[34m#←[0m] Auth error
[←[31m-←[0m] Write ( ←[31mfail←[0m )
[←[33m?←[0m] Maybe access rights? Try specify keytype `←[33mhf mf wrbl -a ...←[0m` instead
[←[33m=←[0m] Writing block no 24, key B - 7F33625BC129
[←[33m=←[0m] data: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[←[34m#←[0m] Auth error
[←[31m-←[0m] Write ( ←[31mfail←[0m )
[←[33m?←[0m] Maybe access rights? Try specify keytype `←[33mhf mf wrbl -a ...←[0m` instead
[←[33m=←[0m] Writing block no 25, key B - 7F33625BC129
[←[33m=←[0m] data: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[←[34m#←[0m] Auth error
[←[31m-←[0m] Write ( ←[31mfail←[0m )
[←[33m?←[0m] Maybe access rights? Try specify keytype `←[33mhf mf wrbl -a ...←[0m` instead
[←[33m=←[0m] Writing block no 26, key B - 7F33625BC129
[←[33m=←[0m] data: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[←[34m#←[0m] Auth error
[←[31m-←[0m] Write ( ←[31mfail←[0m )
[←[33m?←[0m] Maybe access rights? Try specify keytype `←[33mhf mf wrbl -a ...←[0m` instead
[←[33m=←[0m] Writing block no 27, key B - 7F33625BC129
[←[33m=←[0m] data: 6A 19 87 C4 0A 21 F7 8F 00 5A 7F 33 62 5B C1 29
[←[34m#←[0m] Auth error
[←[31m-←[0m] Write ( ←[31mfail←[0m )
[←[33m?←[0m] Maybe access rights? Try specify keytype `←[33mhf mf wrbl -a ...←[0m` instead
[←[33m=←[0m] Writing block no 28, key B - 7F33625BC129
[←[33m=←[0m] data: B3 76 FE 17 21 97 F2 97 71 E9 14 25 49 45 C8 92
[←[34m#←[0m] Auth error
[←[31m-←[0m] Write ( ←[31mfail←[0m )
[←[33m?←[0m] Maybe access rights? Try specify keytype `←[33mhf mf wrbl -a ...←[0m` instead
[←[33m=←[0m] Writing block no 29, key B - 7F33625BC129
[←[33m=←[0m] data: 75 47 DD 27 55 61 5E 5D 4B 42 46 24 6E D3 E0 C9
[←[34m#←[0m] Auth error
[←[31m-←[0m] Write ( ←[31mfail←[0m )
[←[33m?←[0m] Maybe access rights? Try specify keytype `←[33mhf mf wrbl -a ...←[0m` instead
[←[33m=←[0m] Writing block no 30, key B - 7F33625BC129
[←[33m=←[0m] data: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[←[34m#←[0m] Auth error
[←[31m-←[0m] Write ( ←[31mfail←[0m )
[←[33m?←[0m] Maybe access rights? Try specify keytype `←[33mhf mf wrbl -a ...←[0m` instead
[←[33m=←[0m] Writing block no 31, key B - 7F33625BC129
[←[33m=←[0m] data: 6A 19 87 C4 0A 21 F7 8F 00 5A 7F 33 62 5B C1 29
[←[34m#←[0m] Auth error
[←[31m-←[0m] Write ( ←[31mfail←[0m )
[←[33m?←[0m] Maybe access rights? Try specify keytype `←[33mhf mf wrbl -a ...←[0m` instead
[←[33m=←[0m] Writing block no 32, key B - 7F33625BC129
[←[33m=←[0m] data: ED D6 97 0D F0 83 6D 40 97 66 D7 4A B3 88 8E 26
[←[34m#←[0m] Auth error
[←[31m-←[0m] Write ( ←[31mfail←[0m )
[←[33m?←[0m] Maybe access rights? Try specify keytype `←[33mhf mf wrbl -a ...←[0m` instead
[←[33m=←[0m] Writing block no 33, key B - 7F33625BC129
[←[33m=←[0m] data: 3C 5E B9 8F 80 78 4B 18 0A CA A0 D9 D8 2E 44 F4
[←[34m#←[0m] Auth error
[←[31m-←[0m] Write ( ←[31mfail←[0m )
[←[33m?←[0m] Maybe access rights? Try specify keytype `←[33mhf mf wrbl -a ...←[0m` instead
[←[33m=←[0m] Writing block no 34, key B - 7F33625BC129
[←[33m=←[0m] data: FC 85 4B 39 FB DF DE 0E 5B DA DA A6 AE 6F 3C FF
[←[34m#←[0m] Auth error
[←[31m-←[0m] Write ( ←[31mfail←[0m )
[←[33m?←[0m] Maybe access rights? Try specify keytype `←[33mhf mf wrbl -a ...←[0m` instead
[←[33m=←[0m] Writing block no 35, key B - 7F33625BC129
[←[33m=←[0m] data: 6A 19 87 C4 0A 21 F7 8F 00 5A 7F 33 62 5B C1 29
[←[34m#←[0m] Auth error
[←[31m-←[0m] Write ( ←[31mfail←[0m )
[←[33m?←[0m] Maybe access rights? Try specify keytype `←[33mhf mf wrbl -a ...←[0m` instead
[←[33m=←[0m] Writing block no 36, key B - 7F33625BC129
[←[33m=←[0m] data: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[←[34m#←[0m] Auth error
[←[31m-←[0m] Write ( ←[31mfail←[0m )
[←[33m?←[0m] Maybe access rights? Try specify keytype `←[33mhf mf wrbl -a ...←[0m` instead
[←[33m=←[0m] Writing block no 37, key B - 7F33625BC129
[←[33m=←[0m] data: 00 01 FE 00 00 00 00 00 00 00 00 00 00 00 00 00
[←[34m#←[0m] Auth error
[←[31m-←[0m] Write ( ←[31mfail←[0m )
[←[33m?←[0m] Maybe access rights? Try specify keytype `←[33mhf mf wrbl -a ...←[0m` instead
[←[33m=←[0m] Writing block no 38, key B - 7F33625BC129
[←[33m=←[0m] data: 89 4E 0C 91 CF D2 A5 1D 37 BD 07 5B 90 FF 82 C4
[←[34m#←[0m] Auth error
[←[31m-←[0m] Write ( ←[31mfail←[0m )
[←[33m?←[0m] Maybe access rights? Try specify keytype `←[33mhf mf wrbl -a ...←[0m` instead
[←[33m=←[0m] Writing block no 39, key B - 7F33625BC129
[←[33m=←[0m] data: 6A 19 87 C4 0A 21 F7 8F 00 5A 7F 33 62 5B C1 29
[←[34m#←[0m] Auth error
[←[31m-←[0m] Write ( ←[31mfail←[0m )
[←[33m?←[0m] Maybe access rights? Try specify keytype `←[33mhf mf wrbl -a ...←[0m` instead
[←[33m=←[0m] Writing block no 40, key B - 7F33625BC129
[←[33m=←[0m] data: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[←[34m#←[0m] Auth error
[←[31m-←[0m] Write ( ←[31mfail←[0m )
[←[33m?←[0m] Maybe access rights? Try specify keytype `←[33mhf mf wrbl -a ...←[0m` instead
[←[33m=←[0m] Writing block no 41, key B - 7F33625BC129
[←[33m=←[0m] data: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[←[34m#←[0m] Auth error
[←[31m-←[0m] Write ( ←[31mfail←[0m )
[←[33m?←[0m] Maybe access rights? Try specify keytype `←[33mhf mf wrbl -a ...←[0m` instead
[←[33m=←[0m] Writing block no 42, key B - 7F33625BC129
[←[33m=←[0m] data: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[←[34m#←[0m] Auth error
[←[31m-←[0m] Write ( ←[31mfail←[0m )
[←[33m?←[0m] Maybe access rights? Try specify keytype `←[33mhf mf wrbl -a ...←[0m` instead
[←[33m=←[0m] Writing block no 43, key B - 7F33625BC129
[←[33m=←[0m] data: 6A 19 87 C4 0A 21 F7 8F 00 5A 7F 33 62 5B C1 29
[←[34m#←[0m] Auth error
[←[31m-←[0m] Write ( ←[31mfail←[0m )
[←[33m?←[0m] Maybe access rights? Try specify keytype `←[33mhf mf wrbl -a ...←[0m` instead
[←[33m=←[0m] Writing block no 44, key B - 7F33625BC129
[←[33m=←[0m] data: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[←[34m#←[0m] Auth error
[←[31m-←[0m] Write ( ←[31mfail←[0m )
[←[33m?←[0m] Maybe access rights? Try specify keytype `←[33mhf mf wrbl -a ...←[0m` instead
[←[33m=←[0m] Writing block no 45, key B - 7F33625BC129
[←[33m=←[0m] data: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[←[34m#←[0m] Auth error
[←[31m-←[0m] Write ( ←[31mfail←[0m )
[←[33m?←[0m] Maybe access rights? Try specify keytype `←[33mhf mf wrbl -a ...←[0m` instead
[←[33m=←[0m] Writing block no 46, key B - 7F33625BC129
[←[33m=←[0m] data: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[←[34m#←[0m] Auth error
[←[31m-←[0m] Write ( ←[31mfail←[0m )
[←[33m?←[0m] Maybe access rights? Try specify keytype `←[33mhf mf wrbl -a ...←[0m` instead
[←[33m=←[0m] Writing block no 47, key B - 7F33625BC129
[←[33m=←[0m] data: 6A 19 87 C4 0A 21 F7 8F 00 5A 7F 33 62 5B C1 29
[←[34m#←[0m] Auth error
[←[31m-←[0m] Write ( ←[31mfail←[0m )
[←[33m?←[0m] Maybe access rights? Try specify keytype `←[33mhf mf wrbl -a ...←[0m` instead
[←[33m=←[0m] Writing block no 48, key B - 7F33625BC129
[←[33m=←[0m] data: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[←[34m#←[0m] Auth error
[←[31m-←[0m] Write ( ←[31mfail←[0m )
[←[33m?←[0m] Maybe access rights? Try specify keytype `←[33mhf mf wrbl -a ...←[0m` instead
[←[33m=←[0m] Writing block no 49, key B - 7F33625BC129
[←[33m=←[0m] data: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[←[34m#←[0m] Auth error
[←[31m-←[0m] Write ( ←[31mfail←[0m )
[←[33m?←[0m] Maybe access rights? Try specify keytype `←[33mhf mf wrbl -a ...←[0m` instead
[←[33m=←[0m] Writing block no 50, key B - 7F33625BC129
[←[33m=←[0m] data: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[←[34m#←[0m] Auth error
[←[31m-←[0m] Write ( ←[31mfail←[0m )
[←[33m?←[0m] Maybe access rights? Try specify keytype `←[33mhf mf wrbl -a ...←[0m` instead
[←[33m=←[0m] Writing block no 51, key B - 7F33625BC129
[←[33m=←[0m] data: 6A 19 87 C4 0A 21 F7 8F 00 5A 7F 33 62 5B C1 29
[←[34m#←[0m] Auth error
[←[31m-←[0m] Write ( ←[31mfail←[0m )
[←[33m?←[0m] Maybe access rights? Try specify keytype `←[33mhf mf wrbl -a ...←[0m` instead
[←[33m=←[0m] Writing block no 52, key B - 7F33625BC129
[←[33m=←[0m] data: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[←[34m#←[0m] Auth error
[←[31m-←[0m] Write ( ←[31mfail←[0m )
[←[33m?←[0m] Maybe access rights? Try specify keytype `←[33mhf mf wrbl -a ...←[0m` instead
[←[33m=←[0m] Writing block no 53, key B - 7F33625BC129
[←[33m=←[0m] data: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[←[34m#←[0m] Auth error
[←[31m-←[0m] Write ( ←[31mfail←[0m )
[←[33m?←[0m] Maybe access rights? Try specify keytype `←[33mhf mf wrbl -a ...←[0m` instead
[←[33m=←[0m] Writing block no 54, key B - 7F33625BC129
[←[33m=←[0m] data: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[←[34m#←[0m] Auth error
[←[31m-←[0m] Write ( ←[31mfail←[0m )
[←[33m?←[0m] Maybe access rights? Try specify keytype `←[33mhf mf wrbl -a ...←[0m` instead
[←[33m=←[0m] Writing block no 55, key B - 7F33625BC129
[←[33m=←[0m] data: 6A 19 87 C4 0A 21 F7 8F 00 5A 7F 33 62 5B C1 29
[←[34m#←[0m] Auth error
[←[31m-←[0m] Write ( ←[31mfail←[0m )
[←[33m?←[0m] Maybe access rights? Try specify keytype `←[33mhf mf wrbl -a ...←[0m` instead
[←[33m=←[0m] Writing block no 56, key B - 7F33625BC129
[←[33m=←[0m] data: B4 90 00 E6 00 00 00 1A 00 00 00 00 EE 00 00 00
[←[34m#←[0m] Auth error
[←[31m-←[0m] Write ( ←[31mfail←[0m )
[←[33m?←[0m] Maybe access rights? Try specify keytype `←[33mhf mf wrbl -a ...←[0m` instead
[←[33m=←[0m] Writing block no 57, key B - 7F33625BC129
[←[33m=←[0m] data: 00 14 EB 6E 09 2E D4 2B D7 C6 19 3A 81 43 79 18
[←[34m#←[0m] Auth error
[←[31m-←[0m] Write ( ←[31mfail←[0m )
[←[33m?←[0m] Maybe access rights? Try specify keytype `←[33mhf mf wrbl -a ...←[0m` instead
[←[33m=←[0m] Writing block no 58, key B - 7F33625BC129
[←[33m=←[0m] data: BA 1F 17 A7 2A 3D 74 AE 00 00 00 00 00 00 00 00
[←[34m#←[0m] Auth error
[←[31m-←[0m] Write ( ←[31mfail←[0m )
[←[33m?←[0m] Maybe access rights? Try specify keytype `←[33mhf mf wrbl -a ...←[0m` instead
[←[33m=←[0m] Writing block no 59, key B - 7F33625BC129
[←[33m=←[0m] data: 6A 19 87 C4 0A 21 F7 8F 00 5A 7F 33 62 5B C1 29
[←[34m#←[0m] Auth error
[←[31m-←[0m] Write ( ←[31mfail←[0m )
[←[33m?←[0m] Maybe access rights? Try specify keytype `←[33mhf mf wrbl -a ...←[0m` instead
[←[33m=←[0m] Writing block no 60, key B - 7F33625BC129
[←[33m=←[0m] data: E0 FF 00 00 00 48 EF 48 1F 00 FF FF FF B7 10 B7
[←[34m#←[0m] Auth error
[←[31m-←[0m] Write ( ←[31mfail←[0m )
[←[33m?←[0m] Maybe access rights? Try specify keytype `←[33mhf mf wrbl -a ...←[0m` instead
[←[33m=←[0m] Writing block no 61, key B - 7F33625BC129
[←[33m=←[0m] data: FF 81 96 00 10 02 00 2B 00 00 00 00 00 00 00 00
[←[34m#←[0m] Auth error
[←[31m-←[0m] Write ( ←[31mfail←[0m )
[←[33m?←[0m] Maybe access rights? Try specify keytype `←[33mhf mf wrbl -a ...←[0m` instead
[←[33m=←[0m] Writing block no 62, key B - 7F33625BC129
[←[33m=←[0m] data: FF FF 0E F1 81 3E 28 E0 94 76 A6 1D E9 F4 2D D7
[←[34m#←[0m] Auth error
[←[31m-←[0m] Write ( ←[31mfail←[0m )
[←[33m?←[0m] Maybe access rights? Try specify keytype `←[33mhf mf wrbl -a ...←[0m` instead
[←[33m=←[0m] Writing block no 63, key B - 7F33625BC129
[←[33m=←[0m] data: 6A 19 87 C4 0A 21 F7 8F 00 5A 7F 33 62 5B C1 29
[←[34m#←[0m] Auth error
[←[31m-←[0m] Write ( ←[31mfail←[0m )
[←[33m?←[0m] Maybe access rights? Try specify keytype `←[33mhf mf wrbl -a ...←[0m` instead
----------------------------------------------------------------
You are welcome

[←[32m+←[0m] finished ←[33mhf_mf_gen3_writer←[0m

I’m not really sure what these access errors are, but nonetheless it also does not seem to be correct to the reader.

For giggles, I tried to do it on the Gen4 Magic Card (which is pretty cool), but I ran into an issue where it couldn’t clone the UID right.

[usb] pm3 --> script run hf_mf_ultimatecard -c
[+] executing lua D:\ProxSpace\pm3\proxmark3\client\luascripts\hf_mf_ultimatecard.lua
[+] args '-c'

========================================================================================
                        Ultimate Magic Card Configuration
========================================================================================
 - Raw Config           00000000000002000978009102DABC191010111213141516040008006B00
 - Card Protocol        MIFARE Classic Protocol
 - Ultralight Mode      Disabled
 - ULM Backdoor Key     00000000
 - GTU Mode             Disabled
 - Card Type            MIFARE 1k S50 4-byte UID
 - UID                  04112233
 - ATQA                 00 04
 - SAK                  08

[+] finished hf_mf_ultimatecard

[usb] pm3 --> script run hf_mf_ultimatecard -t 4
[+] executing lua D:\ProxSpace\pm3\proxmark3\client\luascripts\hf_mf_ultimatecard.lua
[+] args '-t 4'

Setting: Ultimate Magic card to Mifare 1k S50 7-byte
Writing new UID         04112233445566

[+] finished hf_mf_ultimatecard

[usb] pm3 --> script run hf_mf_ultimatecard -c
[+] executing lua D:\ProxSpace\pm3\proxmark3\client\luascripts\hf_mf_ultimatecard.lua
[+] args '-c'

========================================================================================
                        Ultimate Magic Card Configuration
========================================================================================
 - Raw Config           00010000000002000978009102DABC191010111213141516440008006B00
 - Card Protocol        MIFARE Classic Protocol
 - Ultralight Mode      Disabled
 - ULM Backdoor Key     00000000
 - GTU Mode             Disabled
 - Card Type            MIFARE 1k S50 7-byte UID
 - UID                  0411223304E5AA
 - ATQA                 00 44
 - SAK                  08

[+] finished hf_mf_ultimatecard

[usb] pm3 --> script run hf_mf_ultimatecard -u 044EEDD2747281
[+] executing lua D:\ProxSpace\pm3\proxmark3\client\luascripts\hf_mf_ultimatecard.lua
[+] args '-u 044EEDD2747281'

Writing new UID         044EEDD2747281

[+] finished hf_mf_ultimatecard

[usb] pm3 --> script run hf_mf_ultimatecard -c
[+] executing lua D:\ProxSpace\pm3\proxmark3\client\luascripts\hf_mf_ultimatecard.lua
[+] args '-c'

========================================================================================
                        Ultimate Magic Card Configuration
========================================================================================
 - Raw Config           00010000000002000978009102DABC191010111213141516440008006B00
 - Card Protocol        MIFARE Classic Protocol
 - Ultralight Mode      Disabled
 - ULM Backdoor Key     00000000
 - GTU Mode             Disabled
 - Card Type            MIFARE 1k S50 7-byte UID
 - UID                  044EEDD275181F
 - ATQA                 00 44
 - SAK                  08

[+] finished hf_mf_ultimatecard

[usb] pm3 --> hf search
[/] Searching for ISO14443-A tag...
[+]  UID: 04 4E ED D2 75 18 1F
[+] ATQA: 00 44
[+]  SAK: 08 [2]
[+] MANUFACTURER: NXP Semiconductors Germany
[+] Possible types:
[+]    MIFARE Classic 1K CL2
[=] proprietary non iso14443-4 card found, RATS not supported
[+] Magic capabilities : Gen 4 GTU
[+] Prng detection: weak
[#] Auth error
[?] Hint: try `hf mf` commands


[+] Valid ISO 14443-A tag found

The UID writing on the Gen4 is super strange as it clones the first few bytes, but then starts to mess up later on.

Any advice on either of these issues would be awesome. I’ve heard anecdotally that the SALTO keys can be a real pain to work with, since the readers have a tendency to write data to the key and therefore only allow one working FOB at a time.