Writing to a FlexM1 "gen2" with Proxmark Easy

Hello all,

Assuming it is OK to abuse the forums “motto” with “there are no stupid questions” here goes.

I have just received my new FlexM1 “gen2” implant and Proxmark Easy kit via KSEC UK. Everything is setup and working and I also have a number of KSEC test cards.

I am cloning a high frequency MIFARE classic 4K access card and I have been able to by following the guides and videos clone this card to a 1K magic Gen1 card with the use of the Proxmark Easy and the “hf mf autopwn” / “hf mf cload -f xxxxx.eml” commands.

So far so good. BUT now that I want to test the same process towards a 1K magic Gen2 card as a proof of concept before testing the FlexM1 “gen2” I cannot find any guides here for solely using the Proxmark Easy and not having to use the MCT tool on a mobile phone. I assume that this should be possible?

Am I blind to available information or is the MCT tool the only write option?

Assistance would be appreciated. Thanks

//Rolf

Just give me a bit, Im going to take my dog for a run before it gets too hot, then for a swim to cool down. (about 2 hours)
If nobody else has answered you before I get back, i’ll write something up for you.

I’m assuming you dont have a gen2 card to test on?
KSEC sell a test card bundle and magic card pack that I highly reccomend

anyway :service_dog: :running_man:

1 Like

I do have a Gen2 test card :slightly_smiling_face:

//Rolf

I’ve always done autopwn on the PM3 EZ and then taken the keys to MCT for the writing, will be curious to see if there’s a better way to do it in just the PM3 EZ

1 Like

I also have a FlexM1 gen2, It is one of my most used, and favourites.
MOST/MORE people get the gen1a for fear of bricking a gen2.
I haven’t yet, and I use it frequently AND if I ever do, although it will suck, I will simply replace it (out with the old, in with the new)
I love mine, I plan on getting another one, purely for the super convenience, this finally brings me back to your question.

Personally, I prefer to use MCT because, again, for it’s convenience.
So day to day, I use my Flipper for LF stuff and My phone for gen2 stuff.
However since you asked specifically about PM3, if you try the same as the gen1a you will get a Block zero error.

Rather than write this all up, let me find a couple of references for you.

If you are still stuck after that ( hopefully not ) I’ll crack out my PM3, I don’t know the commands off the top of my head because, again, I simply use MCT.

I have a git page bookmarked

that should get you started, whilst I grab you some forum links …:hamster_emoji_gif:

1 Like

what is everyone on about

hf mf cload is for gen1a cards.

for your gen2 implant you need hf mf restore and hf mf wrbl —b 0

run each of them with the -h flag to build your command. you will need to supply the keyfile for the gen2 and the data file of the original. for block 0 writing (the uid block) you need to attach the —force param.

1 Like

Cool, thanks, that saved me finding it, or grabbing out my PM3

I never use my PM3 for gen2 because I find MCT easier, faster and more convenient, PLUS I save the card profiles on my phone and always have them with me

1 Like

Thanks to all for the assistance. I am glad that my various tests were performed on a 1KGen2 test cards of which one works simply using the Clone UID function. The second card which may have been screwed by trying Gen1 commands on it is in a very confusing state after my various testing.

This second 1KGen2 card can be read by the MCT tool BUT NOT any longer by NXP Taginfo so something is screwed up.

The MCT tag info displays the following data:

UID
– – – – (masked for security but correct 4 byte UID)
RF Technology:
ISO/IEC 14443, Type A
ATQA:
0004
SAK:
98
ATS:

Tag Type and Manufacturer:
MIFARE Classic, Unknown

MIFARE Classic Info

Memory Size:
4096
Block Size:
16 byte
Number of Blocks:
256

It seems that the 1KGen2 card has an incorrect memory size (4K) setting from somewhere.

Is there any way to recover from this and restore the card to default. I have tried the format option in MCT without success.

Thanks Rolf

it’s the SAK.

the App is identifying it because when it does the full scan it is only finding 1k worth of storage when the SAK indicates 4K of storage. MCT doesn’t do a full scan till you ask it to.

to change it id need to know your block 0 to change the SAK to 08 as with gen2 it’s not so easy to change that single value you must replace the whole block.

confusing. i know.

Hello again,

I became a little unsure if I successfully managed to send you the correct file for your analysis of the SAK and corruption on the Gen2 1K magic card.

Here is the file again in case it did not reach your in-basket :slight_smile:

In the meantime I wish you a Very Happy New Year 2023 and thanks again for all the assistance here.

//Rolf

hf-mf-9484257F-dump-org.txt (2.1 KB)

I know this is a bit old but can you or someone maybe explain this a bit more? Like can anyone explain that step by step, I don’t use these things daily and I’m not a computer person so is there any chance someone can explain this to me like a 5 year old? Like, what are the actual steps and commands, not really sure what " -h flag to build your command" means or what do to with “hf mf wrbl —b 0” or where I would find this info “supply the keyfile for the gen2 and the data file of the original”. Android mct app has errors, seems like I have to use the pm3 but I have searched this forum and yt up and down but this is the most info I have found about writing onto the magic ring. Thanks.

Since nobody has replied yet, let me wing it.

I know you want more detail than this, there could be errors, I’m doing this blind (no PM3 with me), I may have made some mistakes in here, because I prefer to use MCT, hopefully there are enough clues in here for you to work it out.

Then you have 2 options:

Just write the (N)UID at Block 0, something like
hf mf wrbl -blk 0 (4 Byte NUID)
Use the hf mf help to confirm

Or

To get the key file
hf mf autopwn

then

Restore, which will write everything including the (N)UID something like
hf mf restore -1k -k -f
(there will be more commands needed , but the k is for key file and f is for the dump file)

I hope that helps enough for you to work it out, or until somebody else comes along

Thank you so much for replying! I will give that a shot. I just got to Thailand and wanted to test the ring out on this trip before looking into implants.

From my experience, Most places you will only need to change the (N)UID
and most places with RFID access will be either LF EM41XX ( probably in the form of a blue fob ) Or more common MiFare 1k

I don’t have a ring to compare, but if you look at getting an implant, my personal reccomend would be a FlexM1,
gen1a or gen2 have their pro’s and cons, but if you don’t have an Android, a gen1a would be an equally good option