Assuming it is OK to abuse the forums “motto” with “there are no stupid questions” here goes.
I have just received my new FlexM1 “gen2” implant and Proxmark Easy kit via KSEC UK. Everything is setup and working and I also have a number of KSEC test cards.
I am cloning a high frequency MIFARE classic 4K access card and I have been able to by following the guides and videos clone this card to a 1K magic Gen1 card with the use of the Proxmark Easy and the “hf mf autopwn” / “hf mf cload -f xxxxx.eml” commands.
So far so good. BUT now that I want to test the same process towards a 1K magic Gen2 card as a proof of concept before testing the FlexM1 “gen2” I cannot find any guides here for solely using the Proxmark Easy and not having to use the MCT tool on a mobile phone. I assume that this should be possible?
Am I blind to available information or is the MCT tool the only write option?
Just give me a bit, Im going to take my dog for a run before it gets too hot, then for a swim to cool down. (about 2 hours)
If nobody else has answered you before I get back, i’ll write something up for you.
I’m assuming you dont have a gen2 card to test on?
KSEC sell a test card bundle and magic card pack that I highly reccomend
I’ve always done autopwn on the PM3 EZ and then taken the keys to MCT for the writing, will be curious to see if there’s a better way to do it in just the PM3 EZ
I also have a FlexM1 gen2, It is one of my most used, and favourites.
MOST/MORE people get the gen1a for fear of bricking a gen2.
I haven’t yet, and I use it frequently AND if I ever do, although it will suck, I will simply replace it (out with the old, in with the new)
I love mine, I plan on getting another one, purely for the super convenience, this finally brings me back to your question.
Personally, I prefer to use MCT because, again, for it’s convenience.
So day to day, I use my Flipper for LF stuff and My phone for gen2 stuff.
However since you asked specifically about PM3, if you try the same as the gen1a you will get a Block zero error.
Rather than write this all up, let me find a couple of references for you.
If you are still stuck after that ( hopefully not ) I’ll crack out my PM3, I don’t know the commands off the top of my head because, again, I simply use MCT.
I have a git page bookmarked
that should get you started, whilst I grab you some forum links …
for your gen2 implant you need hf mf restore and hf mf wrbl —b 0
run each of them with the -h flag to build your command. you will need to supply the keyfile for the gen2 and the data file of the original. for block 0 writing (the uid block) you need to attach the —force param.
Cool, thanks, that saved me finding it, or grabbing out my PM3
I never use my PM3 for gen2 because I find MCT easier, faster and more convenient, PLUS I save the card profiles on my phone and always have them with me
Thanks to all for the assistance. I am glad that my various tests were performed on a 1KGen2 test cards of which one works simply using the Clone UID function. The second card which may have been screwed by trying Gen1 commands on it is in a very confusing state after my various testing.
This second 1KGen2 card can be read by the MCT tool BUT NOT any longer by NXP Taginfo so something is screwed up.
the App is identifying it because when it does the full scan it is only finding 1k worth of storage when the SAK indicates 4K of storage. MCT doesn’t do a full scan till you ask it to.
to change it id need to know your block 0 to change the SAK to 08 as with gen2 it’s not so easy to change that single value you must replace the whole block.
I know this is a bit old but can you or someone maybe explain this a bit more? Like can anyone explain that step by step, I don’t use these things daily and I’m not a computer person so is there any chance someone can explain this to me like a 5 year old? Like, what are the actual steps and commands, not really sure what " -h flag to build your command" means or what do to with “hf mf wrbl —b 0” or where I would find this info “supply the keyfile for the gen2 and the data file of the original”. Android mct app has errors, seems like I have to use the pm3 but I have searched this forum and yt up and down but this is the most info I have found about writing onto the magic ring. Thanks.
I know you want more detail than this, there could be errors, I’m doing this blind (no PM3 with me), I may have made some mistakes in here, because I prefer to use MCT, hopefully there are enough clues in here for you to work it out.
Then you have 2 options:
Just write the (N)UID at Block 0, something like hf mf wrbl -blk 0 (4 Byte NUID)
Use the hf mf help to confirm
Or
To get the key file hf mf autopwn
then
Restore, which will write everything including the (N)UID something like hf mf restore -1k -k -f
(there will be more commands needed , but the k is for key file and f is for the dump file)
I hope that helps enough for you to work it out, or until somebody else comes along
Thank you so much for replying! I will give that a shot. I just got to Thailand and wanted to test the ring out on this trip before looking into implants.
From my experience, Most places you will only need to change the (N)UID
and most places with RFID access will be either LF EM41XX ( probably in the form of a blue fob ) Or more common MiFare 1k
I don’t have a ring to compare, but if you look at getting an implant, my personal reccomend would be a FlexM1,
gen1a or gen2 have their pro’s and cons, but if you don’t have an Android, a gen1a would be an equally good option
