xM1+ and HID multiCLASS se readers

Heya all, I wonder if anyone has been using theirs with the readers mentioned in the topic. I’ve cloned the card ok using my proxmark3 and verified that the dump from xM1+ is identical from the original card dump using linux/mfoc and android/mifare classic tool but the reader refuses to accept the device. I get the beep of it being read with unlock. I’ve cloned the card into a magic backdoor card that came with proxmark and that is acceptable to the reader.
For obvious reasons I’m not going to talk to people who run security of the building and I’m a little hesitant to start sniffing the communication to figure out why the implant is not being accepted.

Interesting… are you sure the card is a backdoor card and not a gen2 card? Also are you sure the entire sector 0 is the same? What about the ATQA and SAK values of the backdoor card vs the xM1+ ? Just looking for anything that could tip off the HID system that it’s not a legit card.

also what does this mean? it beeps but doesn’t unlock?

It beeps but doesn’t unlock, correct. I sadly don’t have the card I cloned into any more, but it is entirely possible that it was a gen2 card. SAK and ATQA match between the xM1+ and the original. I’ll need to get a gen2 card to test that theory, thank you!
Going to try using a full size gen1a card to see that gets accepted to gauge if it’s just problem with reading the implant.

Yeah some systems are looking for gen1 backdoor command support now and denying entry based on the response to that command… but that’s a fairly advanced feature for a system dedicated to using shit Mifare 1k cards… I’d be surprised if this was the case.

If you have a proxmark3 you could eavesdrop on the convo between reader and xM1 or gen1 card… maybe get some answers…

Yep, after I’ve tried different gens of card my next steps is to sniff, but again, I’m not exactly hot on having people see me mess with card readers at a shared office :stuck_out_tongue:

2 Likes

Just tried to use a random gen1a card and it works :confused: Probably means the implant is not read reliably.

so strange… why would it beep then… seems odd. let’s talk flexM1… waiting for antennas but it’ll be out soon.

I’ve been keeping my ear to the ground with flexM1 :smiley: If you feel like letting me borrow an unsterile sample to test with these card readers I’d be grateful.

We are waiting for a bulk purchase of coil windings from our coil factory but China is going through both the Chinese New Year and the Kung Flu (coronavirus)… so shipments are delayed until further notice… so we’re not listing the product until we are able to mass produce here in Seattle… however… if you want to order one now we do have some early units made with test sample coils… we have both gen1a and gen2 versions available… the gen2 option might be better since it’s basically unable to be distinguished from a real Mifare (unless it attempts to write to sector 0 and has keys)… though the down side of a gen2 is that if you fuck up the sector access bits and kill a sector, it’s dead forever with no recovery option… unlike the gen1a option which lets you write whatever to any sector after the backdoor command is issued… the only other pro for gen2 is that you can write full dump files including sector 0 to them with an Android app (MCT), whereas you can’t write sector 0 or use the back door command at all via Android.

Anyway, I will PM / DM you with order details.

3 Likes

Would you mind also PMing me, @amal? I’ve been thinking about getting an xM1 but held off on the hopes of a flexM1 or @Pilgrimsmaster’s dream xM1/xEM hybrid.

My work system does accept gen1a, so that’s probably the safest for me, saves me from myself haha

2 Likes

Just got the new tag and reprogrammed it, will test tomorrow and if it works while outside the body will get it implanted. fingers crossed

3 Likes

First ? official person with the Flex M1, congrats :+1:

Did you decide on gen1a or gen 2 ?
If gen 2, did you re-programme with MCT?

1 Like

It’s gen1a. I’m a little averse to an implant that can be bricked by a bad write, so I’ll only go for gen2 if I absolutely have to :sweat_smile:

2 Likes

Very smart, that’s the route I would have taken.

I’d be interested in a flex M1 but I’m not in a rush by any means and I’ll wait for it to be posted as I’m yet to have an actual need for it.

That being said I’m thinking about location and want to hear thoughts about the blade edge of my left hand.

I keep seeing conflicting info about which generations of magic cards are brickable. @amal, do you have any trusted sources for info on these chips?

This vendor is advertising that their Gen2 cards are impossible to brick, but makes no mention of it on their Gen1a cards. And this website says Gen1a & Gen1b are easily bricked, but doesn’t say anything about bricking Gen2 chips.

Warning: Info in the table below may not apply for chips in flexM1’s. Using it to choose between Gen1a & Gen2 may result in you picking the wrong card.

1 Like

See… the problem with “magic” chips is that they are from China… a land where 10 different “blue cloners” can look identical but have different hardware or firmware or both inside… “gen1a” and “gen2” mean nothing… they are not standards or even product names… they are simply names derived through consensus to describe a loose set of features for illegal, intellectual property infringing chipsets.

For example, I don’t know that Fudan is actually producing these chips, because Fudan’s official statement is that they do not make any “magic” chipsets… at least the last time I talked to them. They deny making any chips that are UID changeable… but this is probably false. I am getting my magic chips through a side deal and I honestly have no idea who actually manufactured them… that’s not information my vendor is willing or possibly even able to share.

Also, when it comes to what can brick and what can’t and why… there are even more questions and possibilities. The actual REAL Mifare S50 1k “Classic” chip is broken into sectors… and of the writable sectors, each has a “sector trailer” which is the last block of the sector. The sector trailer contains access keys (A and B) as well as access bits for that specific sector… so each sector could be keyed differently and have different key permissions. For some reason they made the dumb decision to require you to write not only the access bit settings in “forward order” but also “inverted order”… meaning you write the access bits twice… once in one bit order, and once in the opposite bit order… and if you fuck that up, the entire sector locks and becomes unreadable and totally dead forever… for no real reason.

The Mifare “Classic” approach to memory organization and access permissions is so crazy I had to pour over the documentation for days and the only way to really make sense of it was to write my own little boiled down paper about it;

NFC-Access-Control-for-Mifare-S50.pdf (631.1 KB)

Now… when it comes to the “magic” chips… I see the image you posted mention BCC bits… I have no idea what these are… but if you could find a description of what those actually are or what they mean, then maybe we could explore it a bit.

To be honest, I have not yet attempted to write incorrect access bits to a magic gen2 chip yet… but my assumption was that they would act and behave just like a real Mifare Classic chip, in that if you screwed up the access bits in the sector trailer, then that sector would be dead… and because gen2 is supposed to be just a normal Mifare Classic chip with a writable sector 0, then there is no “back door” way to fix that dead sector. When it comes to a gen1 chip, I’ve written corrupted data to it through the “front door” (normal write operation) and then overwrite the entire memory contents through the back door, restoring function of that dead sector… but maybe there is a way to screw up writing whatever these BCC bits are that really bricks the tag forever… probably as some kind of bad function of the “magic” routines inside the emulator chip (nothing to do with Mifare).

The first run of xM1 chips were so unstable that it could be functioning correctly and then encounter a reader that just wants to access some sectors and then the whole thing would brick and never come back… just terrible.

2 Likes

So I have a few questions on the M1flex @amal, do you have an estimate on when the M1flex will be listed on the website, what are the dimensions going to be and can you supply a needle for installing? :slightly_smiling_face:
I figured the VivoKey alpha needle might work if the dimensions ain’t to different🙂

No ETA for our antenna parts yet…boo!

Yes same needle for VivoKey Apex Flex… same dimensions as well.

1 Like