What kind of implant, Yale Doorman


I am considering a couple of implants, and have the following questions I hope you can answer regarding what implant(s) to get…

Primay needs:

At home, I have Yale Doorman locks, where the tags are of the type “Mifare Classic 1k”

At work, I have an ID card, using “NXP Mifare Classic 4k”

My plan is to clone the Yale tag and the ID card. – but I wonder: do I need two implants for this? (one flexM1 or xM1 for the yale doorman, and an …unknown… implant? for the Mifare Classic 4k?

Or is it possible to clone both tags to one implant?

Optional needs:

I also have a travelling card using Desfire ev1, and I’d love the idea to clone this as well, but only if it could go on the same implant as above, as it is rarely used


I am also interested in the xEM Access Controller. Is that only compatible with the xEM/next chip, or will it be able to read the mifare classic tags? (i.e.: would I need yet another implant for this to work?)

Final question: I have an ACR122U reader that I know will work to copy the classic 1k card.

With the right software, will this also work to clone the mifare classic 4k, or is the proxmark needed for this?

Best regards

Kenneth Haider

Hi Kenneth,
Welcome, It looks like you have done some research, so this should be easy for you.

Can you do taginfo scan and let us know if it is a 4 or 7 byte NUID?

If you get stuck

But I would reccomend you remove/hide/blur your actual NUID before posting in a public forum.

If your NUID for your work ID is 4 bytes, I would CLONE your Work ID and write this to your FlexM1 (or whatever you choose) then I would ENROLL into your Yale.
i.e. You should only need one

See @anon3825968 reply below, some better info than I provided

This is pretty unlikely unfortunately.

I am going to post a public transport conversion shortly,that will kinda explain why.
It is doable, but just for your specific scenario.

xEM Access Controller is only compatible with Low Frequency 125kHz, so only xEM, NExT, FlexEM, FlexMT etc

You shouldn’t need to do this, just let us know your NUID byte total and we can help you from there

Yes you do: the Yale Doorman needs to “take over” the entire implant. Well, strictly speaking, it only uses the first 6 sectors, but unless you’re lucky and the security system at your workplace only uses UIDs and you can convince the manager to enroll your Yale Doorman’s UID, you’re unlikely to use the Yale Doorman implant for anything other than your own stuff.

The Yale Doorman will work with a glass M1k (xM1) and a bit better with a flexM1. Not much better, but a bit better.

You’ll also need to procure a genuine Yale tag and exact-clone it into the implant. Or if you want to save money, I can send you a dump of one of my unused tags :slight_smile:

1 Like

Thans for the quick reply.
The ID card has a 4 byte NUID :slight_smile:
I am not sure if it is possible to enroll my FlexM1 into yale, as they seem to need proprietary tags (which is why I thought I enroll a yale-tag, then clone that)

however, it -might- be possible to enroll that tag into work. in any case I assume the correct answer would be to start with -one- implant, then expand if that one is not enough

shit… this is just like tattoos isn’t it… you start with “just one”, then all of a sudden your covered with them :sweat_smile:


FWIW, both my IAR M1K (equivalent to a xM1) and my FlexM1 are enrolled with my Yale Doorman locks (I have two).

So, yes. But you will need a Proxmark3 to program them.

I suggest you check out this thread:

…Getting a complete dump and using the “Mifare Classic Card Recovery Tool” with a standard ACR122U won’t work then? :-/ I wonder if I can get work to finance a Proxmark for…studies…

in any case, yes I saw that thread, Rosco. you are indeed the reason I’m concidering an implant. not sure whether to thank you or curse you. this is going to be expensive :-p

1 Like

Btw: the work card is, as I said, a 4k card.
I assume I need something other than the flexM1 for that then?

Hmm possibly. But you’ll need to clone the UID using the magic Mifare command. If your non-Proxmark3 tool can do it, it should be possible. But I’ve never tried it.

I know it’s doable with nfctools under Linux with an ACR122U. Not sure about Windows, I don’t use that. Surely someone who’s more knowledgeable than I am can tell you.

Sorry I was only referring to the Yale Doorman. A FlexM1 is quite suitable for that guy.

For your work card, I’d be surprised if the system really required a 4K. But it might check that. More likely though, someone procured 4K cards for the employees and programmed them into the system, that might well accept 1Ks.

If I was you, I’d order a test Magic M1k card and try to clone the first kilobyte, see what happens when you present it to the reader. If it barfs, then you’ll need a 4K, and the flexM1 ain’t it obviously.

ah. so I’ll read up on using nfctools then. guess I’ll fire up a VM with Kali linux and start testing with some blank cards first

Just talked to the id-card guy at work, and he said they just get their cards pre-programmed, and only enter the cardnumber in their system, so if I can manage to replicate that, then it is -possible- that I could get them to enroll my yale-key
interresting :slight_smile:

Yes, it is an expensive hobby. You should probably curse me :slight_smile:

just ordered a pack of magic 1k keycards :slightly_smiling_face:

Aaw well you see, that might be a bit of a problem: NFC utilities that drive USB readers directly usually don’t fare too well in a VM :slight_smile: You’d be MUCH better off with a Linux distro in dual-boot.

all this started as a simple lockpicking hobby, thinking the “Yale Doorman is a great challenge” and suddenly I’ve fallen down the rabbit hole of implants and RFID tags and whatnot :sweat_smile:
anyway… great fun :slight_smile:

Aaw well you see, that might be a bit of a problem: NFC utilities that drive USB readers directly usually don’t fare too well in a VM :slight_smile: You’d be MUCH better off with a Linux distro in dual-boot.

no problem using the USB Redirector software.
I plug the reader in the physical server, and “simply” clone it to any VM. I actually use it for my z-wave network which generates quite a bit of traffic and it works flawlessly.
worth checking out if you want to share USB devices.

Well it’s doable. I made a bunch of low-level Linux NFC utilities in a VM. The problem is timing: if the utility requires precise timing (and you’ll need one at least to hardnest the original Yale card) then it won’t work. The VM’s USB abstraction layer fucks up the timing completely. Also, it’s dead slow.

fair point, I’ll use a dualboot laptop for this purpose then

But do ask one of the Windows boffins on this here board: I bet there’s something that works under Windows for your purpose. It’s just that I don’t know any. That doesn’t mean it doesn’t exist.

There’s MCT on Android also, to clone Mifare Classics.

no worries, I primarily use *nix (on my servers. - wifey wants windows on the desktop), so I’d rather take the nfctools approach.

but to sum up: i need at least
1x flexEM for the yale
1x ?? if the id-card requires 4K, but most likely yet another flexEM for that purpose
1x next if I intend to buy the control-board for garage-door opening

of course after successfully cloning on some cheap magic-cards
…and quite possibly a proxman3 …easy…? for cloning if that doesn’t work.

guess I’ve got my birthday present wishlist ready then :no_mouth: