Trying to reprogram flexMN

So I got the flexMN in and finally have consistent reads. I also have a test magic NTAG I’ve been using. I recently came across a Mifare Ultralight EV1 48 byte card, but haven’t had luck in cloning it. I’ve been able to change the card type, but nada elsewise.


Any chance in getting some help here?

1 Like

What exactly are you having problems with? You changed the card type of the magic ntag? Right? But can’t clone the rest of the data? What are you using to try to write to it? The proxmark3? Or a mobile app?

I’m probably having the wrong approach to trying to change the settings in the first place. I think I may have changed the card type, but it’s upon closer inspection, it seems only my test card has had the UID and type changed, and nothing for the implant, reading as NTAG203(F) (NTAG203(F)).

I’m not sure how to clone the rest of the data, or copy it from the original card, and haven’t been able to find anything so far. I’m using a PM3 connected to my phone that’s running Iceman. It has the near exact properties as a desktop setup, so I’m hoping it should be okay, especially as my test card settings can be changed.

Proxmark3 Easy or RDV4? Are you using the RFID Research Group RFID-Tools app on Android?

Are there any issues listed when you run ‘hw tune’?

Yeah I was also like “eh what?” … I’m pretty sure Walrus (the android proxmark3 client for Android) needs the main branch firmware to operate correctly?

oh wait what? they have their own android tool now? well hot damn! i’m so behind the times!

Yes. I posted in a different thread a while back. Walrus requires mainstream.

The RRG app can talk to a Proxmark3 Easy (it expects rdv4 but works with Easy) with a fairly recent iceman branch. It can also use an acr122u, a chameleon mini/tiny/tiny-pro, and more…

It is a pretty decent all in one app.

Below this point are the acr122u and more named chips…

2 Likes

Just the Easy on mobile. I’ve programed an xM1 on there before, so it’s been fine for hf. I’m not sure what version I’m using entirely, but it’s just being run on Termux using the TCP Bridge technique.

No issues! Just some decent voltage drop,although more significant on the test card.

Either way, would really appreciate any help in setting it up.

I just run ‘hf mf auto’ to get a dump file of a card and ‘hf mf cload -f [dump filename]’ to clone it to a new one. Make sure the UID of your old card matches too by using ‘hf mf csetuid -u [original card uid]’

Alright, I’ve been fiddling around with thr flexMN, and after some attempts, I can’t seem to change the UID or card type, even when it is (semi) successful on my test card… Really hoping that the implant isn’t bricked. I decided to use Proxspace, but I can’t do anything.

Trying out hf mfu info works on the test card, but doesn’t bring up anything on the implant.

what do you get when you issue the -c read config command?

It doesn’t appear as anything. Which is bizarre, since I get consistent reads on hf 14a info, and get drops of 3V on hf tune (vs the card I want to clone that gets 1-2V drops). When attempting it on the test card, it comes up configured as NTAG 213

hmm can you post the output?

Sure, top one is for my implant (a wedge) , the bottom is for the testcard (a circle flexy).


And this. Same again.

(please ignore the fact it is a photo, laptop has troubles with wifi)

Hmm… yeah the lack of data is concerning… it was working at one point though correct? It was returning card type?

I don’t think it has returned from -c before. I tried changing the card type using -t 1, it said it was successful, but nothing had changed.

grrrr… that’s not a good sign unfortunately. The annoying part is that like any digital data writing procedure, “success” is only assumed… almost nothing goes back to verify the changes were actually written to the medium… including hard drives, CD burns, etc… not unless you enable some kind of verification check after writing. In most cases, the proxmark3 is the same… it assumes the changes bit banged out over the RF field have been received and changes made.

Do you recall attempting to get -c info before making any writes?

Hmm, unfortunately not. If I tried, it probably came back the same as what I got previously, as I don’t remember it being any different between -c reads.