That was quick! Yup, remembered reading it somewhere, donât remember where it was though.
Thanks for the link.
Well, everyone beat me to the important part⌠Haha.
Iâm not familiar with MIFARE+ but a quick look shows MIFARE Plus SE is a thing (that iPassan has apparently shortened to MIFARE+). I doubt the flexUG4 supports the added features of the that chip but if the readers support legacy chips (such as MIFARE Classic 1k/4k) then youâd be good.
Alright, Iâd love to get 100% confirmation on this this time!
I was under the assumption my NExT would work too (my fault, no one elseâs).
The physical unit is this one.
And the enrollment software looks like this:
And the IDâs are in this format: 80112233445504.
Looking at the link you sent I see this: MifareÂŽ Classic and MifareÂŽ Plus proximity reader (AES 128 bit encryption)
Iâm guessing the âProximity token 1356â is MFC. I would take @GrimEchoâs suggestion and get the Card Pack so you can try enrolling the MIFARE Classic cards. If they work, youâre good to go with an xMagic (or xM1, flexM1) or flexUG4. I would suggest the flexUG4 just to give yourself more options in the future. Or if you travel.
Good idea - so if I can enroll the card and it works, then itâs an identical chip to the implant. Iâll do that.
Would you agree with my previous statement too then?
Glad I found this out now! Iâll do some more research into best positions for the flexUG4, but I still want it accessible and not an awkward angle to enter the building every time!
Sometimes this means having implants in both hands, unfortunately. Particularly when readers arenât on consistent sides of doors.
I would. But also, my approach has been to go flex whenever there is a flex option simply because of the increased ease of coupling with the much larger antennas. Have you tried using your HF field detector on the readers to see if theyâll even couple with an x-series?
Not sure what you are asking here?
Watch this video : )
That is potentially a simple way to test if the reader would work with an implant, but since all of the chips we are talking about (both in the card pack and the implants) are âmagicâ, you can also clone an existing card/fob to them.
The method(s) for cloning depends on whether you are using a Magic Gen 1, Magic Gen 2, or Magic Gen4. I believe the Gen4 requires a ProxMark (the ProxMark that DT sells is the PM3 âEZâ) and a script, at least initially. The Gen2 can be programmed with either a ProxMark or the free MCT tool on Android, and the Gen1a needs a ProxMark.
There is a good possibility that the access control system only cares that the chip it sees chirps a UUID of the expected length and in the expected format. If so, then you can likely enroll any of the above chips out-of-the-box. I believe all of them default to emulating some type of MiFare chip with a random UUID. But if you canât enroll the chip/card immediately, that doesnât necessarily mean you donât be able to after programming it to emulate a specific type of device.
All of this is a long way of saying that if you think the ACS you want to use supports MiFare Classic, then try enrolling the Gen2 card from the cardpack. If that doesnât work, then use the MCT app to try and clone an existing card to the Gen2 magic card.
The existing ones are 7-byte UIDs, unfortunately. MIFARE Plus.
Ohh I see what you mean.
They donât even recognise my NExT so I havenât bothered testing that specifically. But they are a powered reader so I canât think there would be any issues.
I have no issues tapping my NExT on similar random readers elsewhere, and they find the chip instantly (obviously I get a fat red light on it though).
We send the field detectors out because of the variability in readers. I have found more than a few where I live that donât couple with x-series. If you are leaning towards the xMagic, itâs worth verifying the specific readers youâre interested in.
hnnnnng mifare plusâŚ
super duper optionally secure & also optionally insecure depending on the security level theyâre placed in (can be investigated with a proxmark)
they have a reverse compatibility mode with mifare classic where they can emulate a cred and have that be your sauce for auth but thatâs again an optional lack of security. in terms of enrolling that would be up to the security admins and would involve them enrolling just your UID of your implant which they may not want to or may not be able to do depending on the level of lockouts the access control system has when it comes to creating valid users. worth a chat tho.
that would be a case for the UG4 as youâd at least want something with the 7byte UID.
Was messing with the door.
The lights on my HF keyring go crazy at any orientation. And so does the diag card. So Iâm confident of the power of the reader.
I have the CUID card from the pack which doesnât even register on the reader.
Proxmark says it is this:
[+] UID: 8E XX XX 30
[+] ATQA: 00 04
[+] SAK: 08 [2]
[+] Possible types:
[+] MIFARE Classic 1K
[=] proprietary non iso14443-4 card found, RATS not supported
[+] Magic capabilities... Gen 2 / CUID
[+] Prng detection....... weak
And I have another card which registers but just gives me a red light:
[+] UID: 42 XX XX 03
[+] ATQA: 00 04
[+] SAK: 08 [2]
[+] Possible types:
[+] MIFARE Classic 1K
[=] proprietary non iso14443-4 card found, RATS not supported
[+] Prng detection....... hard
[=]
[=] --- Tag Signature
[=] IC signature public key name: NXP MIFARE Classic MFC1C14_x
Does that give any clues for the implant I should be looking at?
Or do I really need the Card Pack to make 100% sure first? Only problem it is USD$80 shipping for it alone! So I wanted the chip at the same time.
Try scanning a legit working card for this door and post that?
I only have a fob and it says this:
[+] UID: 04 11 22 33 44 55 80
[+] ATQA: 00 44
[+] SAK: 08 [2]
[+] MANUFACTURER: NXP Semiconductors Germany
[+] Possible types:
[+] MIFARE Classic 1K CL2
[=] -------------------------- ATS --------------------------
[+] ATS: 0C 11 22 33 44 55 66 77 88 99 00 D1 [ D3 00 ]
[=] 0C............... TL length is 12 bytes
[=] 75............ T0 TA1 is present, TB1 is present, TC1 is present, FSCI is 5 (FSC = 64)
[=] 77......... TA1 different divisors are supported, DR: [2, 4, 8], DS: [2, 4, 8]
[=] 80...... TB1 SFGI = 0 (SFGT = (not needed) 0/fc), FWI = 8 (FWT = 1048576/fc)
[=] 02... TC1 NAD is NOT supported, CID is supported
[=] -------------------- Historical bytes --------------------
[=] C1 05 21 30 10 F6 D1
[+] C1..................... Mifare or (multiple) virtual cards of various type
[+] 05.................. length is 5 bytes
[+] 2x............... MIFARE Plus
[+] x1............... 1 kByte
[+] x0............ Generation 1
[+] x0......... Only VCSL supported
[?] Hint: try `hf mfp info`
[=] --- Fingerprint
[=] SIZE: 2K (7 UID)
[=] SAK: 2K 7b UID
[=] --- Security Level (SL)
[+] SL mode: SL1
[=] SL 1: backwards functional compatibility mode (with MIFARE Classic 1K / 4K) with an optional AES authentication
Looks like a flexUG4 is your best bet. Itâs a 7 byte Mifare 1k which is not the âclassicâ type that the xMagic and xM1 are.
Can you run an autopwn on it to get keys?
It could also be a smartcard⌠try running taginfo and sharing the full scan data?
No luck on autopwn:
[!] â ď¸ no known key was supplied, key recovery might fail
[+] loaded 59 keys from hardcoded default array
[=] running strategy 1
[=] running strategy 2
[=] ......
[-] â No usable key was found!
But I made friends with the security person, so I have no issues enrolling my own ID.
Obviously if the chip can read first!