Problems Cloning PFM01K to Magic 7-Byte Or Gen4 Ultimate Card

Support
1

This is a follow up post to my earlier one looking to clone my apartment FOB since its a puck and used for everything from apartment entry to elevator to car garage. It’s one of these PFM01K’s, which look like glorified Mifare Classic 1K’s with a 7-byte UID. Earlier this week I had a shipment of some Magic 1K 7-bytes UID, Magic 4K 7-Byte UID, and 2 of the new Gen4 Ultimate Magic ones. I thought it would be a straight UID clone, but it appears to be more complex than that.

First off, here’s the original fob’s info, with dumped keys:

[=] hf search
[-] Searching for ISO14443-A tag...
[+]  UID: 04 4E ED D2 74 72 81
[+] ATQA: 00 44
[+]  SAK: 08 [2]
[+] MANUFACTURER: NXP Semiconductors Germany
[+] Possible types:
[+]    MIFARE Classic 1K CL2
[=] proprietary non iso14443-4 card found, RATS not supported
[+] Prng detection: hard
[=]
[=] --- Tag Signature
[=]  IC signature public key name: NXP Mifare Classic MFC1C14_x
[=] IC signature public key value: 044F6D3F294DEA5737F0F46FFEE88A356EED95695DD7E0C27A591E6F6F65962BAF
[=]     Elliptic curve parameters: NID_secp128r1
[=]              TAG IC Signature: 57DCFA81E98AC4F031B3140DEB8563F9BE5830F6AC6EAE8742B9D264D2569528
[+]        Signature verification: successful
[?] Hint: try `hf mf` commands


[+] Valid ISO 14443-A tag found

[usb] pm3 --> hf mf autopwn
[=] MIFARE Classic EV1 card detected
[=] target sector  17 key type B -- using valid key [ 4B 79 1B EA 7B CC ] (used for nested / hardnested attack)
[+] loaded 45 keys from hardcoded default array
[=] running strategy 1
[=] ..
[=] Chunk 5.3s | found 22/36 keys (45)
[=] running strategy 2
[=] ...
[=] Chunk 6.8s | found 22/36 keys (45)
[+] target sector   0 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector   0 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector   1 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector   1 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector   2 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector   2 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector   3 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector   3 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector   4 key type A -- found valid key [ FFFFFFFFFFFF ]
[+] target sector   4 key type B -- found valid key [ FFFFFFFFFFFF ]
[+] target sector   5 key type A -- found valid key [ 6A1987C40A21 ]
[+] target sector   6 key type A -- found valid key [ 6A1987C40A21 ]
[+] target sector   7 key type A -- found valid key [ 6A1987C40A21 ]
[+] target sector   8 key type A -- found valid key [ 6A1987C40A21 ]
[+] target sector   9 key type A -- found valid key [ 6A1987C40A21 ]
[+] target sector  10 key type A -- found valid key [ 6A1987C40A21 ]
[+] target sector  11 key type A -- found valid key [ 6A1987C40A21 ]
[+] target sector  12 key type A -- found valid key [ 6A1987C40A21 ]
[+] target sector  13 key type A -- found valid key [ 6A1987C40A21 ]
[+] target sector  14 key type A -- found valid key [ 6A1987C40A21 ]
[+] target sector  15 key type A -- found valid key [ 6A1987C40A21 ]
[=] Hardnested attack starting...
[=] ---------+---------+---------------------------------------------------------+-----------------+-------
[=]          |         |                                                         | Expected to brute force
[=]  Time    | #nonces | Activity                                                | #states         | time
[=] ---------+---------+---------------------------------------------------------+-----------------+-------
[=]        0 |       0 | Start using 16 threads and AVX2 SIMD core               |                 |
[=]        0 |       0 | Brute force benchmark: 1613 million (2^30.6) keys/s     | 140737488355328 |   24h
[=]        6 |       0 | Using 235 precalculated bitflip state tables            | 140737488355328 |   24h
[#] AcquireEncryptedNonces finished
[=]        9 |     112 | Apply bit flip properties                               |    723065044992 |  7min
[#] AcquireEncryptedNonces finished
[#] AcquireEncryptedNonces finished
[=]       11 |     224 | Apply bit flip properties                               |    374605742080 |  4min
[#] AcquireEncryptedNonces finished
[=]       12 |     336 | Apply bit flip properties                               |    373583380480 |  4min
[#] AcquireEncryptedNonces finished
[=]       13 |     448 | Apply bit flip properties                               |    372561018880 |  4min
[=]       14 |     558 | Apply bit flip properties                               |    372024573952 |  4min
[#] AcquireEncryptedNonces finished
[=]       14 |     668 | Apply bit flip properties                               |    372024573952 |  4min
[#] AcquireEncryptedNonces finished
[=]       15 |     777 | Apply bit flip properties                               |    372024573952 |  4min
[#] AcquireEncryptedNonces finished
[=]       16 |     887 | Apply bit flip properties                               |    372024573952 |  4min
[#] AcquireEncryptedNonces finished
[=]       17 |     997 | Apply bit flip properties                               |    372024573952 |  4min
[#] AcquireEncryptedNonces finished
[=]       18 |    1108 | Apply bit flip properties                               |    372024573952 |  4min
[#] AcquireEncryptedNonces finished
[=]       19 |    1219 | Apply bit flip properties                               |    372024573952 |  4min
[#] AcquireEncryptedNonces finished
[=]       20 |    1330 | Apply bit flip properties                               |    372024573952 |  4min
[#] AcquireEncryptedNonces finished
[#] AcquireEncryptedNonces finished
[=]       22 |    1440 | Apply Sum property. Sum(a0) = 128                       |     34853875712 |   22s
[=]       22 |    1550 | Apply bit flip properties                               |     17286682624 |   11s
[#] AcquireEncryptedNonces finished
[=]       23 |    1659 | Apply bit flip properties                               |     17286682624 |   11s
[#] AcquireEncryptedNonces finished
[=]       24 |    1770 | Apply bit flip properties                               |     17286682624 |   11s
[#] AcquireEncryptedNonces finished
[=]       25 |    1878 | Apply bit flip properties                               |     17286682624 |   11s
[#] AcquireEncryptedNonces finished
[=]       26 |    1878 | (1. guess: Sum(a8) = 256)                               |     17286682624 |   11s
[=]       27 |    1878 | Apply Sum(a8) and all bytes bitflip properties          |     17024865280 |   11s
[=]       27 |    1878 | (2. guess: Sum(a8) = 224)                               |     59371520000 |   37s
[=]       27 |    1878 | Apply Sum(a8) and all bytes bitflip properties          |     58800656384 |   36s
[=]       27 |    1878 | Brute force phase completed.  Key found: 7F33625BC129   |               0 |    0s
[+] target sector   5 key type B -- found valid key [ 7F33625BC129 ]
[+] target sector   6 key type B -- found valid key [ 7F33625BC129 ]
[+] target sector   7 key type B -- found valid key [ 7F33625BC129 ]
[+] target sector   8 key type B -- found valid key [ 7F33625BC129 ]
[+] target sector   9 key type B -- found valid key [ 7F33625BC129 ]
[+] target sector  10 key type B -- found valid key [ 7F33625BC129 ]
[+] target sector  11 key type B -- found valid key [ 7F33625BC129 ]
[+] target sector  12 key type B -- found valid key [ 7F33625BC129 ]
[+] target sector  13 key type B -- found valid key [ 7F33625BC129 ]
[+] target sector  14 key type B -- found valid key [ 7F33625BC129 ]
[+] target sector  15 key type B -- found valid key [ 7F33625BC129 ]
[#] Cmd Error 04
[#] Read block error
[=] Hardnested attack starting...
[=] ---------+---------+---------------------------------------------------------+-----------------+-------
[=]          |         |                                                         | Expected to brute force
[=]  Time    | #nonces | Activity                                                | #states         | time
[=] ---------+---------+---------------------------------------------------------+-----------------+-------
[=]        0 |       0 | Start using 16 threads and AVX2 SIMD core               |                 |
[=]        0 |       0 | Brute force benchmark: 1362 million (2^30.3) keys/s     | 140737488355328 |   29h
[=]        6 |       0 | Using 235 precalculated bitflip state tables            | 140737488355328 |   29h
[#] AcquireEncryptedNonces finished
[=]        9 |     112 | Apply bit flip properties                               |      7693851648 |    6s
[#] AcquireEncryptedNonces finished
[#] AcquireEncryptedNonces finished
[=]       10 |     224 | Apply bit flip properties                               |      1638654592 |    1s
[#] AcquireEncryptedNonces finished
[=]       11 |     336 | Apply bit flip properties                               |      1251086464 |    1s
[#] AcquireEncryptedNonces finished
[=]       12 |     448 | Apply bit flip properties                               |      1008151808 |    1s
[=]       13 |     560 | Apply bit flip properties                               |       975424832 |    1s
[#] AcquireEncryptedNonces finished
[=]       14 |     670 | Apply bit flip properties                               |       712448128 |    1s
[#] AcquireEncryptedNonces finished
[=]       15 |     780 | Apply bit flip properties                               |       712448128 |    1s
[#] AcquireEncryptedNonces finished
[=]       16 |     889 | Apply bit flip properties                               |       712448128 |    1s
[#] AcquireEncryptedNonces finished
[=]       16 |    1001 | Apply bit flip properties                               |       712448128 |    1s
[#] AcquireEncryptedNonces finished
[=]       17 |    1112 | Apply bit flip properties                               |       712448128 |    1s
[#] AcquireEncryptedNonces finished
[=]       18 |    1219 | Apply bit flip properties                               |       712448128 |    1s
[#] AcquireEncryptedNonces finished
[=]       19 |    1325 | Apply bit flip properties                               |       712448128 |    1s
[#] AcquireEncryptedNonces finished
[=]       20 |    1436 | Apply bit flip properties                               |       712448128 |    1s
[#] AcquireEncryptedNonces finished
[=]       21 |    1547 | Apply bit flip properties                               |       712448128 |    1s
[#] AcquireEncryptedNonces finished
[=]       23 |    1656 | Apply Sum property. Sum(a0) = 120                       |       121225600 |    0s
[#] AcquireEncryptedNonces finished
[=]       23 |    1656 | (Ignoring Sum(a8) properties)                           |       121225600 |    0s
[=]       25 |    1656 | Brute force phase completed.  Key found: D01AFEEB890A   |               0 |    0s
[+] target sector  16 key type B -- found valid key [ D01AFEEB890A ]

[+] found keys:

[+] -----+-----+--------------+---+--------------+----
[+]  Sec | Blk | key A        |res| key B        |res
[+] -----+-----+--------------+---+--------------+----
[+]  000 | 003 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  001 | 007 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  002 | 011 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  003 | 015 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  004 | 019 | FFFFFFFFFFFF | D | FFFFFFFFFFFF | D
[+]  005 | 023 | 6A1987C40A21 | D | 7F33625BC129 | H
[+]  006 | 027 | 6A1987C40A21 | D | 7F33625BC129 | R
[+]  007 | 031 | 6A1987C40A21 | D | 7F33625BC129 | R
[+]  008 | 035 | 6A1987C40A21 | D | 7F33625BC129 | R
[+]  009 | 039 | 6A1987C40A21 | D | 7F33625BC129 | R
[+]  010 | 043 | 6A1987C40A21 | D | 7F33625BC129 | R
[+]  011 | 047 | 6A1987C40A21 | D | 7F33625BC129 | R
[+]  012 | 051 | 6A1987C40A21 | D | 7F33625BC129 | R
[+]  013 | 055 | 6A1987C40A21 | D | 7F33625BC129 | R
[+]  014 | 059 | 6A1987C40A21 | D | 7F33625BC129 | R
[+]  015 | 063 | 6A1987C40A21 | D | 7F33625BC129 | R
[+]  016 | 067 | 5C8FF9990DA2 | D | D01AFEEB890A | H
[+]  017 | 071 | 5C8FF9990DA2 | D | 4B791BEA7BCC | U
[+] -----+-----+--------------+---+--------------+----
[=] ( D:Dictionary / S:darkSide / U:User / R:Reused / N:Nested / H:Hardnested / C:statiCnested / A:keyA  )


[=] FILE PATH:  hf-mf-044EEDD2747281-key.bin
[+] Generating binary key file
[+] Found keys have been dumped to hf-mf-044EEDD2747281-key.bin
[=] FYI! --> 0xFFFFFFFFFFFF <-- has been inserted for unknown keys where res is 0
[+] transferring keys to simulator memory (Cmd Error: 04 can occur)
[#] Cmd Error 04
[#] wrong response len 0 (expected 18)
[#] wrong response len 0 (expected 18)
[#] wrong response len 0 (expected 18)
[=] fast dump reported back failure w KEY A,  swapping to KEY B
[#] Cmd Error 04
[#] wrong response len 0 (expected 18)
[#] wrong response len 0 (expected 18)
[#] wrong response len 0 (expected 18)
[=] fast dump reported back failure w KEY B
[=] Dump file is PARTIAL complete
[=] downloading the card content from emulator memory
[=] FILE PATH:  hf-mf-044EEDD2747281-dump.bin
[+] saved 1024 bytes to binary file hf-mf-044EEDD2747281-dump.bin
[=] FILE PATH:  hf-mf-044EEDD2747281-dump.eml
[+] saved 64 blocks to text file hf-mf-044EEDD2747281-dump.eml
[=] FILE PATH:  hf-mf-044EEDD2747281-dump.json
[+] saved to json file hf-mf-044EEDD2747281-dump.json
[=] autopwn execution time: 72 seconds

SALTO Keys and Dump.zip (2.2 KB)

So it looks like we got all the keys and a good dump. Problem now is getting it onto a card. I initially tried cloning the UID to both the 1K and 4K cards, which worked but the card reader refused them.

1K:

[usb] pm3 --> hf search
[/] Searching for ISO14443-A tag...
[+]  UID: 04 4E ED D2 74 72 81
[+] ATQA: 00 42
[+]  SAK: 18 [2]
[+] MANUFACTURER: NXP Semiconductors Germany
[+] Possible types:
[+]    MIFARE Classic 4K CL2
[=] proprietary non iso14443-4 card found, RATS not supported
[+] Magic capabilities : possibly Gen 3 / APDU
[+] Prng detection: weak
[#] Auth error
[?] Hint: try `hf mf` commands


[+] Valid ISO 14443-A tag found

[usb] pm3 --> hf mf gen3uid -u 044EEDD2747281
[+] Old UID... 04 12 19 C3 CC 98 02
[+] New UID... 04 4E ED D2 74 72 81
[usb] pm3 --> hf search
[|] Searching for ISO14443-A tag...
[+]  UID: 04 4E ED D2 74 72 81
[+] ATQA: 00 44
[+]  SAK: 08 [2]
[+] MANUFACTURER: NXP Semiconductors Germany
[+] Possible types:
[+]    MIFARE Classic 1K CL2
[=] proprietary non iso14443-4 card found, RATS not supported
[+] Magic capabilities : possibly Gen 3 / APDU
[#] Auth error
[?] Hint: try `hf mf` commands


[+] Valid ISO 14443-A tag found

4K:

[usb] pm3 --> hf mf gen3uid -u 044EEDD2747281
[+] Old UID... 04 12 19 C3 21 93 16
[+] New UID... 04 4E ED D2 74 72 81

[usb] pm3 --> hf search
[/] Searching for ISO14443-A tag...
[+]  UID: 04 4E ED D2 74 72 81
[+] ATQA: 00 42
[+]  SAK: 18 [2]
[+] MANUFACTURER: NXP Semiconductors Germany
[+] Possible types:
[+]    MIFARE Classic 4K CL2
[=] proprietary non iso14443-4 card found, RATS not supported
[+] Magic capabilities : possibly Gen 3 / APDU
[+] Prng detection: weak
[#] Auth error
[?] Hint: try `hf mf` commands


[+] Valid ISO 14443-A tag found
2

After just the UID clone failed, I tried the script run hf_mf_gen3_writer, which I ran using the above keys and dump:

[usb] pm3 --> script run hf_mf_gen3_writer
[+] executing lua D:\ProxSpace\pm3\proxmark3\client\luascripts\hf_mf_gen3_writer.lua
[+] args ''
Waiting for card... press Enter to quit
----------------------------------------------------------------
 Are you use a Windwos OS ? [y/n] ?n
----------------------------------------------------------------
 1 | 044EEDD2747281
----------------------------------------------------------------
 Your card has UID 044EEDD2747281

 Select which dump to write (1 until 1)
----------------------------------------------------------------
 --> 1
----------------------------------------------------------------
 You have been selected card dump No 1, with UID: 044EEDD2747281. Your card UID: 044EEDD2747281
----------------------------------------------------------------
 Change UID ? [y/n] ?y
Waiting for card... press Enter to quit
[←[32m+←[0m] 90 00 [ ←[32mFD 07←[0m ]
----------------------------------------------------------------
 The new card UID : 044EEDD2747281
----------------------------------------------------------------
 Permanent lock UID ? (card can never change uid again)  [y/n] ?n
----------------------------------------------------------------
 Going to check the all KeyB by FFFFFFFFFFFF
----------------------------------------------------------------
[←[34m#←[0m] Cmd Error 04
[←[34m#←[0m] Read block error
----------------------------------------------------------------
 It this is a new blank card ? Do you wishing to change Access Conditions to using B key FFFFFFFFFFFF as main ? [y/n] ?n
----------------------------------------------------------------
 Write selected dump to card ? [y/n] ?y
----------------------------------------------------------------
Waiting for card... press Enter to quit

[←[33m=←[0m] Targeting Sector 0 / Block 0 - Manufacturer block
[←[33m=←[0m] Read the helptext for details before writing to this block
[←[33m=←[0m] You must use param `←[33m--force←[0m` to write to this block

[←[33m=←[0m] Writing block no 1, key B - FFFFFFFFFFFF
[←[33m=←[0m] data: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[←[34m#←[0m] Cmd Error: 04
[←[34m#←[0m] Write block error
[←[31m-←[0m] Write ( ←[31mfail←[0m )
[←[33m?←[0m] Maybe access rights? Try specify keytype `←[33mhf mf wrbl -a ...←[0m` instead
[←[33m=←[0m] Writing block no 2, key B - FFFFFFFFFFFF
[←[33m=←[0m] data: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[←[34m#←[0m] Cmd Error: 04
[←[34m#←[0m] Write block error
[←[31m-←[0m] Write ( ←[31mfail←[0m )
[←[33m?←[0m] Maybe access rights? Try specify keytype `←[33mhf mf wrbl -a ...←[0m` instead
[←[33m=←[0m] Writing block no 3, key B - FFFFFFFFFFFF
[←[33m=←[0m] data: FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF
[←[34m#←[0m] Cmd Error: 04
[←[34m#←[0m] Write block error
[←[31m-←[0m] Write ( ←[31mfail←[0m )
[←[33m?←[0m] Maybe access rights? Try specify keytype `←[33mhf mf wrbl -a ...←[0m` instead
[←[33m=←[0m] Writing block no 4, key B - FFFFFFFFFFFF
[←[33m=←[0m] data: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[←[34m#←[0m] Cmd Error: 04
[←[34m#←[0m] Write block error
[←[31m-←[0m] Write ( ←[31mfail←[0m )
[←[33m?←[0m] Maybe access rights? Try specify keytype `←[33mhf mf wrbl -a ...←[0m` instead
[←[33m=←[0m] Writing block no 5, key B - FFFFFFFFFFFF
[←[33m=←[0m] data: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[←[34m#←[0m] Cmd Error: 04
[←[34m#←[0m] Write block error
[←[31m-←[0m] Write ( ←[31mfail←[0m )
[←[33m?←[0m] Maybe access rights? Try specify keytype `←[33mhf mf wrbl -a ...←[0m` instead
[←[33m=←[0m] Writing block no 6, key B - FFFFFFFFFFFF
[←[33m=←[0m] data: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[←[34m#←[0m] Cmd Error: 04
[←[34m#←[0m] Write block error
[←[31m-←[0m] Write ( ←[31mfail←[0m )
[←[33m?←[0m] Maybe access rights? Try specify keytype `←[33mhf mf wrbl -a ...←[0m` instead
[←[33m=←[0m] Writing block no 7, key B - FFFFFFFFFFFF
[←[33m=←[0m] data: FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF
[←[34m#←[0m] Cmd Error: 04
[←[34m#←[0m] Write block error
[←[31m-←[0m] Write ( ←[31mfail←[0m )
[←[33m?←[0m] Maybe access rights? Try specify keytype `←[33mhf mf wrbl -a ...←[0m` instead
[←[33m=←[0m] Writing block no 8, key B - FFFFFFFFFFFF
[←[33m=←[0m] data: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[←[34m#←[0m] Cmd Error: 04
[←[34m#←[0m] Write block error
[←[31m-←[0m] Write ( ←[31mfail←[0m )
[←[33m?←[0m] Maybe access rights? Try specify keytype `←[33mhf mf wrbl -a ...←[0m` instead
[←[33m=←[0m] Writing block no 9, key B - FFFFFFFFFFFF
[←[33m=←[0m] data: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[←[34m#←[0m] Cmd Error: 04
[←[34m#←[0m] Write block error
[←[31m-←[0m] Write ( ←[31mfail←[0m )
[←[33m?←[0m] Maybe access rights? Try specify keytype `←[33mhf mf wrbl -a ...←[0m` instead
[←[33m=←[0m] Writing block no 10, key B - FFFFFFFFFFFF
[←[33m=←[0m] data: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[←[34m#←[0m] Cmd Error: 04
[←[34m#←[0m] Write block error
[←[31m-←[0m] Write ( ←[31mfail←[0m )
[←[33m?←[0m] Maybe access rights? Try specify keytype `←[33mhf mf wrbl -a ...←[0m` instead
[←[33m=←[0m] Writing block no 11, key B - FFFFFFFFFFFF
[←[33m=←[0m] data: FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF
[←[34m#←[0m] Cmd Error: 04
[←[34m#←[0m] Write block error
[←[31m-←[0m] Write ( ←[31mfail←[0m )
[←[33m?←[0m] Maybe access rights? Try specify keytype `←[33mhf mf wrbl -a ...←[0m` instead
[←[33m=←[0m] Writing block no 12, key B - FFFFFFFFFFFF
[←[33m=←[0m] data: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[←[34m#←[0m] Cmd Error: 04
[←[34m#←[0m] Write block error
[←[31m-←[0m] Write ( ←[31mfail←[0m )
[←[33m?←[0m] Maybe access rights? Try specify keytype `←[33mhf mf wrbl -a ...←[0m` instead
[←[33m=←[0m] Writing block no 13, key B - FFFFFFFFFFFF
[←[33m=←[0m] data: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[←[34m#←[0m] Cmd Error: 04
[←[34m#←[0m] Write block error
[←[31m-←[0m] Write ( ←[31mfail←[0m )
[←[33m?←[0m] Maybe access rights? Try specify keytype `←[33mhf mf wrbl -a ...←[0m` instead
[←[33m=←[0m] Writing block no 14, key B - FFFFFFFFFFFF
[←[33m=←[0m] data: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[←[34m#←[0m] Cmd Error: 04
[←[34m#←[0m] Write block error
[←[31m-←[0m] Write ( ←[31mfail←[0m )
[←[33m?←[0m] Maybe access rights? Try specify keytype `←[33mhf mf wrbl -a ...←[0m` instead
[←[33m=←[0m] Writing block no 15, key B - FFFFFFFFFFFF
[←[33m=←[0m] data: FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF
[←[34m#←[0m] Cmd Error: 04
[←[34m#←[0m] Write block error
[←[31m-←[0m] Write ( ←[31mfail←[0m )
[←[33m?←[0m] Maybe access rights? Try specify keytype `←[33mhf mf wrbl -a ...←[0m` instead
[←[33m=←[0m] Writing block no 16, key B - FFFFFFFFFFFF
[←[33m=←[0m] data: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[←[34m#←[0m] Cmd Error: 04
[←[34m#←[0m] Write block error
[←[31m-←[0m] Write ( ←[31mfail←[0m )
[←[33m?←[0m] Maybe access rights? Try specify keytype `←[33mhf mf wrbl -a ...←[0m` instead
[←[33m=←[0m] Writing block no 17, key B - FFFFFFFFFFFF
[←[33m=←[0m] data: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[←[34m#←[0m] Cmd Error: 04
[←[34m#←[0m] Write block error
[←[31m-←[0m] Write ( ←[31mfail←[0m )
[←[33m?←[0m] Maybe access rights? Try specify keytype `←[33mhf mf wrbl -a ...←[0m` instead
[←[33m=←[0m] Writing block no 18, key B - FFFFFFFFFFFF
[←[33m=←[0m] data: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[←[34m#←[0m] Cmd Error: 04
[←[34m#←[0m] Write block error
[←[31m-←[0m] Write ( ←[31mfail←[0m )
[←[33m?←[0m] Maybe access rights? Try specify keytype `←[33mhf mf wrbl -a ...←[0m` instead
[←[33m=←[0m] Writing block no 19, key B - FFFFFFFFFFFF
[←[33m=←[0m] data: FF FF FF FF FF FF FF 07 80 69 FF FF FF FF FF FF
[←[34m#←[0m] Cmd Error: 04
[←[34m#←[0m] Write block error
[←[31m-←[0m] Write ( ←[31mfail←[0m )
[←[33m?←[0m] Maybe access rights? Try specify keytype `←[33mhf mf wrbl -a ...←[0m` instead
[←[33m=←[0m] Writing block no 20, key B - 7F33625BC129
[←[33m=←[0m] data: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[←[34m#←[0m] Auth error
[←[31m-←[0m] Write ( ←[31mfail←[0m )
[←[33m?←[0m] Maybe access rights? Try specify keytype `←[33mhf mf wrbl -a ...←[0m` instead
[←[33m=←[0m] Writing block no 21, key B - 7F33625BC129
[←[33m=←[0m] data: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[←[34m#←[0m] Auth error
[←[31m-←[0m] Write ( ←[31mfail←[0m )
[←[33m?←[0m] Maybe access rights? Try specify keytype `←[33mhf mf wrbl -a ...←[0m` instead
[←[33m=←[0m] Writing block no 22, key B - 7F33625BC129
[←[33m=←[0m] data: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[←[34m#←[0m] Auth error
[←[31m-←[0m] Write ( ←[31mfail←[0m )
[←[33m?←[0m] Maybe access rights? Try specify keytype `←[33mhf mf wrbl -a ...←[0m` instead
[←[33m=←[0m] Writing block no 23, key B - 7F33625BC129
[←[33m=←[0m] data: 6A 19 87 C4 0A 21 F7 8F 00 5A 7F 33 62 5B C1 29
[←[34m#←[0m] Auth error
[←[31m-←[0m] Write ( ←[31mfail←[0m )
[←[33m?←[0m] Maybe access rights? Try specify keytype `←[33mhf mf wrbl -a ...←[0m` instead
[←[33m=←[0m] Writing block no 24, key B - 7F33625BC129
[←[33m=←[0m] data: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[←[34m#←[0m] Auth error
[←[31m-←[0m] Write ( ←[31mfail←[0m )
[←[33m?←[0m] Maybe access rights? Try specify keytype `←[33mhf mf wrbl -a ...←[0m` instead
[←[33m=←[0m] Writing block no 25, key B - 7F33625BC129
[←[33m=←[0m] data: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[←[34m#←[0m] Auth error
[←[31m-←[0m] Write ( ←[31mfail←[0m )
[←[33m?←[0m] Maybe access rights? Try specify keytype `←[33mhf mf wrbl -a ...←[0m` instead
[←[33m=←[0m] Writing block no 26, key B - 7F33625BC129
[←[33m=←[0m] data: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[←[34m#←[0m] Auth error
[←[31m-←[0m] Write ( ←[31mfail←[0m )
[←[33m?←[0m] Maybe access rights? Try specify keytype `←[33mhf mf wrbl -a ...←[0m` instead
[←[33m=←[0m] Writing block no 27, key B - 7F33625BC129
[←[33m=←[0m] data: 6A 19 87 C4 0A 21 F7 8F 00 5A 7F 33 62 5B C1 29
[←[34m#←[0m] Auth error
[←[31m-←[0m] Write ( ←[31mfail←[0m )
[←[33m?←[0m] Maybe access rights? Try specify keytype `←[33mhf mf wrbl -a ...←[0m` instead
[←[33m=←[0m] Writing block no 28, key B - 7F33625BC129
[←[33m=←[0m] data: B3 76 FE 17 21 97 F2 97 71 E9 14 25 49 45 C8 92
[←[34m#←[0m] Auth error
[←[31m-←[0m] Write ( ←[31mfail←[0m )
[←[33m?←[0m] Maybe access rights? Try specify keytype `←[33mhf mf wrbl -a ...←[0m` instead
[←[33m=←[0m] Writing block no 29, key B - 7F33625BC129
[←[33m=←[0m] data: 75 47 DD 27 55 61 5E 5D 4B 42 46 24 6E D3 E0 C9
[←[34m#←[0m] Auth error
[←[31m-←[0m] Write ( ←[31mfail←[0m )
[←[33m?←[0m] Maybe access rights? Try specify keytype `←[33mhf mf wrbl -a ...←[0m` instead
[←[33m=←[0m] Writing block no 30, key B - 7F33625BC129
[←[33m=←[0m] data: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[←[34m#←[0m] Auth error
[←[31m-←[0m] Write ( ←[31mfail←[0m )
[←[33m?←[0m] Maybe access rights? Try specify keytype `←[33mhf mf wrbl -a ...←[0m` instead
[←[33m=←[0m] Writing block no 31, key B - 7F33625BC129
[←[33m=←[0m] data: 6A 19 87 C4 0A 21 F7 8F 00 5A 7F 33 62 5B C1 29
[←[34m#←[0m] Auth error
[←[31m-←[0m] Write ( ←[31mfail←[0m )
[←[33m?←[0m] Maybe access rights? Try specify keytype `←[33mhf mf wrbl -a ...←[0m` instead
[←[33m=←[0m] Writing block no 32, key B - 7F33625BC129
[←[33m=←[0m] data: ED D6 97 0D F0 83 6D 40 97 66 D7 4A B3 88 8E 26
[←[34m#←[0m] Auth error
[←[31m-←[0m] Write ( ←[31mfail←[0m )
[←[33m?←[0m] Maybe access rights? Try specify keytype `←[33mhf mf wrbl -a ...←[0m` instead
[←[33m=←[0m] Writing block no 33, key B - 7F33625BC129
[←[33m=←[0m] data: 3C 5E B9 8F 80 78 4B 18 0A CA A0 D9 D8 2E 44 F4
[←[34m#←[0m] Auth error
[←[31m-←[0m] Write ( ←[31mfail←[0m )
[←[33m?←[0m] Maybe access rights? Try specify keytype `←[33mhf mf wrbl -a ...←[0m` instead
[←[33m=←[0m] Writing block no 34, key B - 7F33625BC129
[←[33m=←[0m] data: FC 85 4B 39 FB DF DE 0E 5B DA DA A6 AE 6F 3C FF
[←[34m#←[0m] Auth error
[←[31m-←[0m] Write ( ←[31mfail←[0m )
[←[33m?←[0m] Maybe access rights? Try specify keytype `←[33mhf mf wrbl -a ...←[0m` instead
[←[33m=←[0m] Writing block no 35, key B - 7F33625BC129
[←[33m=←[0m] data: 6A 19 87 C4 0A 21 F7 8F 00 5A 7F 33 62 5B C1 29
[←[34m#←[0m] Auth error
[←[31m-←[0m] Write ( ←[31mfail←[0m )
[←[33m?←[0m] Maybe access rights? Try specify keytype `←[33mhf mf wrbl -a ...←[0m` instead
[←[33m=←[0m] Writing block no 36, key B - 7F33625BC129
[←[33m=←[0m] data: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[←[34m#←[0m] Auth error
[←[31m-←[0m] Write ( ←[31mfail←[0m )
[←[33m?←[0m] Maybe access rights? Try specify keytype `←[33mhf mf wrbl -a ...←[0m` instead
[←[33m=←[0m] Writing block no 37, key B - 7F33625BC129
[←[33m=←[0m] data: 00 01 FE 00 00 00 00 00 00 00 00 00 00 00 00 00
[←[34m#←[0m] Auth error
[←[31m-←[0m] Write ( ←[31mfail←[0m )
[←[33m?←[0m] Maybe access rights? Try specify keytype `←[33mhf mf wrbl -a ...←[0m` instead
[←[33m=←[0m] Writing block no 38, key B - 7F33625BC129
[←[33m=←[0m] data: 89 4E 0C 91 CF D2 A5 1D 37 BD 07 5B 90 FF 82 C4
[←[34m#←[0m] Auth error
[←[31m-←[0m] Write ( ←[31mfail←[0m )
[←[33m?←[0m] Maybe access rights? Try specify keytype `←[33mhf mf wrbl -a ...←[0m` instead
[←[33m=←[0m] Writing block no 39, key B - 7F33625BC129
[←[33m=←[0m] data: 6A 19 87 C4 0A 21 F7 8F 00 5A 7F 33 62 5B C1 29
[←[34m#←[0m] Auth error
[←[31m-←[0m] Write ( ←[31mfail←[0m )
[←[33m?←[0m] Maybe access rights? Try specify keytype `←[33mhf mf wrbl -a ...←[0m` instead
[←[33m=←[0m] Writing block no 40, key B - 7F33625BC129
[←[33m=←[0m] data: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[←[34m#←[0m] Auth error
[←[31m-←[0m] Write ( ←[31mfail←[0m )
[←[33m?←[0m] Maybe access rights? Try specify keytype `←[33mhf mf wrbl -a ...←[0m` instead
[←[33m=←[0m] Writing block no 41, key B - 7F33625BC129
[←[33m=←[0m] data: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[←[34m#←[0m] Auth error
[←[31m-←[0m] Write ( ←[31mfail←[0m )
[←[33m?←[0m] Maybe access rights? Try specify keytype `←[33mhf mf wrbl -a ...←[0m` instead
[←[33m=←[0m] Writing block no 42, key B - 7F33625BC129
[←[33m=←[0m] data: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[←[34m#←[0m] Auth error
[←[31m-←[0m] Write ( ←[31mfail←[0m )
[←[33m?←[0m] Maybe access rights? Try specify keytype `←[33mhf mf wrbl -a ...←[0m` instead
[←[33m=←[0m] Writing block no 43, key B - 7F33625BC129
[←[33m=←[0m] data: 6A 19 87 C4 0A 21 F7 8F 00 5A 7F 33 62 5B C1 29
[←[34m#←[0m] Auth error
[←[31m-←[0m] Write ( ←[31mfail←[0m )
[←[33m?←[0m] Maybe access rights? Try specify keytype `←[33mhf mf wrbl -a ...←[0m` instead
[←[33m=←[0m] Writing block no 44, key B - 7F33625BC129
[←[33m=←[0m] data: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[←[34m#←[0m] Auth error
[←[31m-←[0m] Write ( ←[31mfail←[0m )
[←[33m?←[0m] Maybe access rights? Try specify keytype `←[33mhf mf wrbl -a ...←[0m` instead
[←[33m=←[0m] Writing block no 45, key B - 7F33625BC129
[←[33m=←[0m] data: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[←[34m#←[0m] Auth error
[←[31m-←[0m] Write ( ←[31mfail←[0m )
[←[33m?←[0m] Maybe access rights? Try specify keytype `←[33mhf mf wrbl -a ...←[0m` instead
[←[33m=←[0m] Writing block no 46, key B - 7F33625BC129
[←[33m=←[0m] data: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[←[34m#←[0m] Auth error
[←[31m-←[0m] Write ( ←[31mfail←[0m )
[←[33m?←[0m] Maybe access rights? Try specify keytype `←[33mhf mf wrbl -a ...←[0m` instead
[←[33m=←[0m] Writing block no 47, key B - 7F33625BC129
[←[33m=←[0m] data: 6A 19 87 C4 0A 21 F7 8F 00 5A 7F 33 62 5B C1 29
[←[34m#←[0m] Auth error
[←[31m-←[0m] Write ( ←[31mfail←[0m )
[←[33m?←[0m] Maybe access rights? Try specify keytype `←[33mhf mf wrbl -a ...←[0m` instead
[←[33m=←[0m] Writing block no 48, key B - 7F33625BC129
[←[33m=←[0m] data: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[←[34m#←[0m] Auth error
[←[31m-←[0m] Write ( ←[31mfail←[0m )
[←[33m?←[0m] Maybe access rights? Try specify keytype `←[33mhf mf wrbl -a ...←[0m` instead
[←[33m=←[0m] Writing block no 49, key B - 7F33625BC129
[←[33m=←[0m] data: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[←[34m#←[0m] Auth error
[←[31m-←[0m] Write ( ←[31mfail←[0m )
[←[33m?←[0m] Maybe access rights? Try specify keytype `←[33mhf mf wrbl -a ...←[0m` instead
[←[33m=←[0m] Writing block no 50, key B - 7F33625BC129
[←[33m=←[0m] data: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[←[34m#←[0m] Auth error
[←[31m-←[0m] Write ( ←[31mfail←[0m )
[←[33m?←[0m] Maybe access rights? Try specify keytype `←[33mhf mf wrbl -a ...←[0m` instead
[←[33m=←[0m] Writing block no 51, key B - 7F33625BC129
[←[33m=←[0m] data: 6A 19 87 C4 0A 21 F7 8F 00 5A 7F 33 62 5B C1 29
[←[34m#←[0m] Auth error
[←[31m-←[0m] Write ( ←[31mfail←[0m )
[←[33m?←[0m] Maybe access rights? Try specify keytype `←[33mhf mf wrbl -a ...←[0m` instead
[←[33m=←[0m] Writing block no 52, key B - 7F33625BC129
[←[33m=←[0m] data: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[←[34m#←[0m] Auth error
[←[31m-←[0m] Write ( ←[31mfail←[0m )
[←[33m?←[0m] Maybe access rights? Try specify keytype `←[33mhf mf wrbl -a ...←[0m` instead
[←[33m=←[0m] Writing block no 53, key B - 7F33625BC129
[←[33m=←[0m] data: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[←[34m#←[0m] Auth error
[←[31m-←[0m] Write ( ←[31mfail←[0m )
[←[33m?←[0m] Maybe access rights? Try specify keytype `←[33mhf mf wrbl -a ...←[0m` instead
[←[33m=←[0m] Writing block no 54, key B - 7F33625BC129
[←[33m=←[0m] data: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[←[34m#←[0m] Auth error
[←[31m-←[0m] Write ( ←[31mfail←[0m )
[←[33m?←[0m] Maybe access rights? Try specify keytype `←[33mhf mf wrbl -a ...←[0m` instead
[←[33m=←[0m] Writing block no 55, key B - 7F33625BC129
[←[33m=←[0m] data: 6A 19 87 C4 0A 21 F7 8F 00 5A 7F 33 62 5B C1 29
[←[34m#←[0m] Auth error
[←[31m-←[0m] Write ( ←[31mfail←[0m )
[←[33m?←[0m] Maybe access rights? Try specify keytype `←[33mhf mf wrbl -a ...←[0m` instead
[←[33m=←[0m] Writing block no 56, key B - 7F33625BC129
[←[33m=←[0m] data: B4 90 00 E6 00 00 00 1A 00 00 00 00 EE 00 00 00
[←[34m#←[0m] Auth error
[←[31m-←[0m] Write ( ←[31mfail←[0m )
[←[33m?←[0m] Maybe access rights? Try specify keytype `←[33mhf mf wrbl -a ...←[0m` instead
[←[33m=←[0m] Writing block no 57, key B - 7F33625BC129
[←[33m=←[0m] data: 00 14 EB 6E 09 2E D4 2B D7 C6 19 3A 81 43 79 18
[←[34m#←[0m] Auth error
[←[31m-←[0m] Write ( ←[31mfail←[0m )
[←[33m?←[0m] Maybe access rights? Try specify keytype `←[33mhf mf wrbl -a ...←[0m` instead
[←[33m=←[0m] Writing block no 58, key B - 7F33625BC129
[←[33m=←[0m] data: BA 1F 17 A7 2A 3D 74 AE 00 00 00 00 00 00 00 00
[←[34m#←[0m] Auth error
[←[31m-←[0m] Write ( ←[31mfail←[0m )
[←[33m?←[0m] Maybe access rights? Try specify keytype `←[33mhf mf wrbl -a ...←[0m` instead
[←[33m=←[0m] Writing block no 59, key B - 7F33625BC129
[←[33m=←[0m] data: 6A 19 87 C4 0A 21 F7 8F 00 5A 7F 33 62 5B C1 29
[←[34m#←[0m] Auth error
[←[31m-←[0m] Write ( ←[31mfail←[0m )
[←[33m?←[0m] Maybe access rights? Try specify keytype `←[33mhf mf wrbl -a ...←[0m` instead
[←[33m=←[0m] Writing block no 60, key B - 7F33625BC129
[←[33m=←[0m] data: E0 FF 00 00 00 48 EF 48 1F 00 FF FF FF B7 10 B7
[←[34m#←[0m] Auth error
[←[31m-←[0m] Write ( ←[31mfail←[0m )
[←[33m?←[0m] Maybe access rights? Try specify keytype `←[33mhf mf wrbl -a ...←[0m` instead
[←[33m=←[0m] Writing block no 61, key B - 7F33625BC129
[←[33m=←[0m] data: FF 81 96 00 10 02 00 2B 00 00 00 00 00 00 00 00
[←[34m#←[0m] Auth error
[←[31m-←[0m] Write ( ←[31mfail←[0m )
[←[33m?←[0m] Maybe access rights? Try specify keytype `←[33mhf mf wrbl -a ...←[0m` instead
[←[33m=←[0m] Writing block no 62, key B - 7F33625BC129
[←[33m=←[0m] data: FF FF 0E F1 81 3E 28 E0 94 76 A6 1D E9 F4 2D D7
[←[34m#←[0m] Auth error
[←[31m-←[0m] Write ( ←[31mfail←[0m )
[←[33m?←[0m] Maybe access rights? Try specify keytype `←[33mhf mf wrbl -a ...←[0m` instead
[←[33m=←[0m] Writing block no 63, key B - 7F33625BC129
[←[33m=←[0m] data: 6A 19 87 C4 0A 21 F7 8F 00 5A 7F 33 62 5B C1 29
[←[34m#←[0m] Auth error
[←[31m-←[0m] Write ( ←[31mfail←[0m )
[←[33m?←[0m] Maybe access rights? Try specify keytype `←[33mhf mf wrbl -a ...←[0m` instead
----------------------------------------------------------------
You are welcome

[←[32m+←[0m] finished ←[33mhf_mf_gen3_writer←[0m

I’m not really sure what these access errors are, but nonetheless it also does not seem to be correct to the reader.

For giggles, I tried to do it on the Gen4 Magic Card (which is pretty cool), but I ran into an issue where it couldn’t clone the UID right.

[usb] pm3 --> script run hf_mf_ultimatecard -c
[+] executing lua D:\ProxSpace\pm3\proxmark3\client\luascripts\hf_mf_ultimatecard.lua
[+] args '-c'

========================================================================================
                        Ultimate Magic Card Configuration
========================================================================================
 - Raw Config           00000000000002000978009102DABC191010111213141516040008006B00
 - Card Protocol        MIFARE Classic Protocol
 - Ultralight Mode      Disabled
 - ULM Backdoor Key     00000000
 - GTU Mode             Disabled
 - Card Type            MIFARE 1k S50 4-byte UID
 - UID                  04112233
 - ATQA                 00 04
 - SAK                  08

[+] finished hf_mf_ultimatecard

[usb] pm3 --> script run hf_mf_ultimatecard -t 4
[+] executing lua D:\ProxSpace\pm3\proxmark3\client\luascripts\hf_mf_ultimatecard.lua
[+] args '-t 4'

Setting: Ultimate Magic card to Mifare 1k S50 7-byte
Writing new UID         04112233445566

[+] finished hf_mf_ultimatecard

[usb] pm3 --> script run hf_mf_ultimatecard -c
[+] executing lua D:\ProxSpace\pm3\proxmark3\client\luascripts\hf_mf_ultimatecard.lua
[+] args '-c'

========================================================================================
                        Ultimate Magic Card Configuration
========================================================================================
 - Raw Config           00010000000002000978009102DABC191010111213141516440008006B00
 - Card Protocol        MIFARE Classic Protocol
 - Ultralight Mode      Disabled
 - ULM Backdoor Key     00000000
 - GTU Mode             Disabled
 - Card Type            MIFARE 1k S50 7-byte UID
 - UID                  0411223304E5AA
 - ATQA                 00 44
 - SAK                  08

[+] finished hf_mf_ultimatecard

[usb] pm3 --> script run hf_mf_ultimatecard -u 044EEDD2747281
[+] executing lua D:\ProxSpace\pm3\proxmark3\client\luascripts\hf_mf_ultimatecard.lua
[+] args '-u 044EEDD2747281'

Writing new UID         044EEDD2747281

[+] finished hf_mf_ultimatecard

[usb] pm3 --> script run hf_mf_ultimatecard -c
[+] executing lua D:\ProxSpace\pm3\proxmark3\client\luascripts\hf_mf_ultimatecard.lua
[+] args '-c'

========================================================================================
                        Ultimate Magic Card Configuration
========================================================================================
 - Raw Config           00010000000002000978009102DABC191010111213141516440008006B00
 - Card Protocol        MIFARE Classic Protocol
 - Ultralight Mode      Disabled
 - ULM Backdoor Key     00000000
 - GTU Mode             Disabled
 - Card Type            MIFARE 1k S50 7-byte UID
 - UID                  044EEDD275181F
 - ATQA                 00 44
 - SAK                  08

[+] finished hf_mf_ultimatecard

[usb] pm3 --> hf search
[/] Searching for ISO14443-A tag...
[+]  UID: 04 4E ED D2 75 18 1F
[+] ATQA: 00 44
[+]  SAK: 08 [2]
[+] MANUFACTURER: NXP Semiconductors Germany
[+] Possible types:
[+]    MIFARE Classic 1K CL2
[=] proprietary non iso14443-4 card found, RATS not supported
[+] Magic capabilities : Gen 4 GTU
[+] Prng detection: weak
[#] Auth error
[?] Hint: try `hf mf` commands


[+] Valid ISO 14443-A tag found

The UID writing on the Gen4 is super strange as it clones the first few bytes, but then starts to mess up later on.

Any advice on either of these issues would be awesome. I’ve heard anecdotally that the SALTO keys can be a real pain to work with, since the readers have a tendency to write data to the key and therefore only allow one working FOB at a time.

3

Have you reset the card after setting only the uid and before loading the dump? I don’t personally use a pm3 for my cloning needs. However, I do have access to an apartment property that uses Salto smart locks. So it will work in the same format of updating credentials at the main reader.

I’ve been using MTools BLE to clone using a ChameleonUltra SE edition. On the face of it, the dump data is cloned but I am yet to physically test it.

With Salto locks I have only ever found gen1a to work flawlessly. It’s possible that it is using some sort of readback command to detect it as a gen3 magic card. I know on mtools we have the option to leave block zero non-writable.

Once I have tested my umc on the salto lock i will update this thread. It’s possible that it’s the behaviour of the card rather than a write issue.

I now see the OP was May 23 :roll_eyes:

2 Likes
4

I’m successfully using a gen4 card to emulate a salto pfm04k that my building gives out.

I had some snags but ultimately got it to work after wiping the card with my pm3, formatting it as mifare 4k, loading the dump from the real fob, and then manually setting the card’s sak/atqa.

Not sure if the last step was necessary. I was having a lot of problems with the door readers accepting the clone, but I suspect that my using the flipper to validate was causing the card to flip some config bits.

Once my ug4 heals enough to be usable I’ll have two usable magic cards and can spend some time doing more empirical tests with the spare card.

I’m also lucky that it seems my building doesn’t try to write data back to the fob like some other threads have mentioned.

The gen4 card is the only one I’ve ever been able to get working with the salto locks, so who knows :person_shrugging:

2 Likes
5

Haha, i was half hoping this topic would get revived as a way for us to talk about the ug4 and people’s experiences/hiccups with it.

That is partially my concern whether the ug4 will accept writes back to it from the reader. I want to be able to operate it as a gen1a and as a gen2 on different occasions.

I have been testing the crap out of my card and lucky I have a flipper otherwise I wouldn’t have been able to reset my test card.

Mtools do have a write up on how to recover a ug4 but I have found it only works 90% of the time.

Is anyone using the FuseTool windows application? I got hold of it from the seller but I’m having issues detecting the card reader. I’ve tried everything from pn532, acr122u, omnikey 5022CL and acr128iu. none of these card readers seem to be detected by the application.

I feel a pm3easy may be on my shopping list soon.

1 Like
6

I’m surprised it has taken this long for you to get one, given your profession.

I rarely use mine also, as I prefer the ease and convenience of the Flipper and MCT, but the PM3 is still the gold standard.
With the gen 4 / ug4 I will personally likely start carrying my easy with me and using termux on my phone

1 Like
7

Due to the nature of the job I spend most of my time outdoors, so not a lot of time around rfid technology. If the client is staying in a hotel, I’ve already got duplicate keycards and the necessary access credentials. Maybe I might need to clone a card or make a duplicate where one has been missed off or unexpectedly need a spare.

Our purpose is keeping the client safe so we’re dealing more with medical first aid, terrorism awareness and prevention of injury whether through accident or personal attack, and harassment. Despite the movies, there’s rarely a tech guy unless the client has specifically paid for a TCSM service. But even then regular sweeps are rarely done due to cost to the client. Often just done once at the beginning of the task with the room or floor locked down for the duration. So as you can see we already have a lot on our minds without having to deal with 14a raw commands!

1 Like