What can I do with an xM1+ implant?

I was hoping to get some clarification on the implementation of the xM1+…

“The xM1+ is a Mifare S50 1k “Classic” compatible chip with a “Chinese backdoor” feature (if you want to call it that) which allows all data on the chip to be completely writable, regardless of any memory sector security, A/B crypto1 key values, or access control bit settings.”

“xM1 13.56mhz S50 (Mifare Classic 1K)
The xM1 is a high frequency 13.56MHz transponder based on the Mifare Classic S50 1K chip. This chip type is ISO14443A compliant but is not NFC compliant. The xM1 has 768 bytes of user programmable memory and also supports Crypto1 security features. The xM1 is supported only on some NFC devices which contain a reader chip from NXP. While the xM1 will work with any ISO14443A reader, including our PN532 reader, it cannot be expected to work reliably with all NFC devices. We supply the xM1 for people who have a specific need for this particular chip type.”

(apologies if this seems obvious, I am just an amateur at this stage)
Does this mean it would be possible to clone the information from a transit card to the xM1+ for example (if the technology is compatible). I live in Sydney and I remember reading that our Opal transport cards use Mifare technology. Thank you in advance for any answers.

The world of “mifare” is a confusing mess. Basically there are RFID chips called Mifare “Classic” which have the chip model number MF1 IC S50 for their 1k chip, and MF1 IC S70 for their 4k chip. The memory structure and security feature set of these “classic” chips are unique within the ISO14443A family of RFID and NFC tags. These types of chips have been deployed for decades and millions of systems out there use them. They employ a proprietary security mechanism called Crypto1, which has been hacked and broken for a long time now. The xM1 used the S50 1k version, and the xM1+ is a “replica” version of this chip which has a built-in “back door” to allow direct manipulation of bytes in memory, including changing the UID (serial number) of the chip, which is not supported by the original “classic” chips.

There are also Mifare Ultralight, Mifare Ultralight C, and confusingly, Mifare “Classic” EV1 … none of which are anything like the Mifare “Classic” 1k or 4k chips mentioned above in terms of memory structure or security features. In short, they are not directly compatible with each other, even though they all can “speak” with ISO14443A readers.

In Sydney, the transit system uses DESFire EV1, which is also ISO14443A, but is again nothing like any of the other chips mentioned above, including the Mifare “Classic” EV1. So, in short, you cannot copy a Sydney transit card to an xM1+, but take heart… We will have a solution for you later this summer!


This is such a comprehensive answer, thank you very much. Mifare is indeed quite the handful. If you mean the coming non-beta FlexDF, then I am very excited and eagerly await its release.

I have xEM and xNT implants in either hand and just added an xM1+ to my cart with one of those excellent t-shirts. I will have to figure out some other use for the xM1+

Just for your curiosity, there is a car-share service in Sydney called GoGet that uses RFID cards to access their cars, wherein the keys are found inside. I have cloned my card to my xEM in my right hand and I never grow bored of using my implant to the amusement of others. Thank you for making this all possible.

1 Like

Hmm haha the xM1 is not even in beta yet… we have a couple prototypes… it should not be able to be added to your card (at least not yet).

The transit solution we’re exploring will result in a flex device, but it’s not the flexDF. It will be dedicated to transit.

haha that’s great about the GoGet car service… love having useful applications like that beyond your own home… “out in the big big world” type applications :slight_smile:

How much will the xM1 Plus cost? I want to be one of the first ones to buy it!

We’re still dealing with pricing but we’re expecting it to be in the $50-$75 range… but don’t anchor yourself to that… it’s just the current thinking.

1 Like

Mifare Classic EV1 cards can be copied to a S50 device like the xM1+ if the card is using crypto1 and not AES encryption. The point of the Mifare Classic EV1 was to offer a way to incrementally upgrade to a more secure system and slowly move away from crypto1 so it’s common to see these cards still using crypto1 so they can support legacy systems. However Mifare Classic EV1 cards require a different set of exploits then Mifare Classic cards if the keys are unknown.

I successfully copied an Mifare Classic EV1 card to my xM1+ implant using a $30 dollar ACR122 RFID reader. If anyone is looking for more information on copying MIfare Classic EV1 cards I recommend checking out this write up and the slides that go along with it.

1 Like