xM1+ and HID multiCLASS se readers

Yeah some systems are looking for gen1 backdoor command support now and denying entry based on the response to that command… but that’s a fairly advanced feature for a system dedicated to using shit Mifare 1k cards… I’d be surprised if this was the case.

If you have a proxmark3 you could eavesdrop on the convo between reader and xM1 or gen1 card… maybe get some answers…

Yep, after I’ve tried different gens of card my next steps is to sniff, but again, I’m not exactly hot on having people see me mess with card readers at a shared office :stuck_out_tongue:

2 Likes

Just tried to use a random gen1a card and it works :confused: Probably means the implant is not read reliably.

so strange… why would it beep then… seems odd. let’s talk flexM1… waiting for antennas but it’ll be out soon.

I’ve been keeping my ear to the ground with flexM1 :smiley: If you feel like letting me borrow an unsterile sample to test with these card readers I’d be grateful.

We are waiting for a bulk purchase of coil windings from our coil factory but China is going through both the Chinese New Year and the Kung Flu (coronavirus)… so shipments are delayed until further notice… so we’re not listing the product until we are able to mass produce here in Seattle… however… if you want to order one now we do have some early units made with test sample coils… we have both gen1a and gen2 versions available… the gen2 option might be better since it’s basically unable to be distinguished from a real Mifare (unless it attempts to write to sector 0 and has keys)… though the down side of a gen2 is that if you fuck up the sector access bits and kill a sector, it’s dead forever with no recovery option… unlike the gen1a option which lets you write whatever to any sector after the backdoor command is issued… the only other pro for gen2 is that you can write full dump files including sector 0 to them with an Android app (MCT), whereas you can’t write sector 0 or use the back door command at all via Android.

Anyway, I will PM / DM you with order details.

4 Likes

Would you mind also PMing me, @amal? I’ve been thinking about getting an xM1 but held off on the hopes of a flexM1 or @Pilgrimsmaster’s dream xM1/xEM hybrid.

My work system does accept gen1a, so that’s probably the safest for me, saves me from myself haha

2 Likes

Just got the new tag and reprogrammed it, will test tomorrow and if it works while outside the body will get it implanted. fingers crossed

3 Likes

First ? official person with the Flex M1, congrats :+1:

Did you decide on gen1a or gen 2 ?
If gen 2, did you re-programme with MCT?

1 Like

It’s gen1a. I’m a little averse to an implant that can be bricked by a bad write, so I’ll only go for gen2 if I absolutely have to :sweat_smile:

2 Likes

Very smart, that’s the route I would have taken.

I’d be interested in a flex M1 but I’m not in a rush by any means and I’ll wait for it to be posted as I’m yet to have an actual need for it.

That being said I’m thinking about location and want to hear thoughts about the blade edge of my left hand.

I keep seeing conflicting info about which generations of magic cards are brickable. @amal, do you have any trusted sources for info on these chips?

This vendor is advertising that their Gen2 cards are impossible to brick, but makes no mention of it on their Gen1a cards. And this website says Gen1a & Gen1b are easily bricked, but doesn’t say anything about bricking Gen2 chips.

Warning: Info in the table below may not apply for chips in flexM1’s. Using it to choose between Gen1a & Gen2 may result in you picking the wrong card.

1 Like

See… the problem with “magic” chips is that they are from China… a land where 10 different “blue cloners” can look identical but have different hardware or firmware or both inside… “gen1a” and “gen2” mean nothing… they are not standards or even product names… they are simply names derived through consensus to describe a loose set of features for illegal, intellectual property infringing chipsets.

For example, I don’t know that Fudan is actually producing these chips, because Fudan’s official statement is that they do not make any “magic” chipsets… at least the last time I talked to them. They deny making any chips that are UID changeable… but this is probably false. I am getting my magic chips through a side deal and I honestly have no idea who actually manufactured them… that’s not information my vendor is willing or possibly even able to share.

Also, when it comes to what can brick and what can’t and why… there are even more questions and possibilities. The actual REAL Mifare S50 1k “Classic” chip is broken into sectors… and of the writable sectors, each has a “sector trailer” which is the last block of the sector. The sector trailer contains access keys (A and B) as well as access bits for that specific sector… so each sector could be keyed differently and have different key permissions. For some reason they made the dumb decision to require you to write not only the access bit settings in “forward order” but also “inverted order”… meaning you write the access bits twice… once in one bit order, and once in the opposite bit order… and if you fuck that up, the entire sector locks and becomes unreadable and totally dead forever… for no real reason.

The Mifare “Classic” approach to memory organization and access permissions is so crazy I had to pour over the documentation for days and the only way to really make sense of it was to write my own little boiled down paper about it;

NFC-Access-Control-for-Mifare-S50.pdf (631.1 KB)

Now… when it comes to the “magic” chips… I see the image you posted mention BCC bits… I have no idea what these are… but if you could find a description of what those actually are or what they mean, then maybe we could explore it a bit.

To be honest, I have not yet attempted to write incorrect access bits to a magic gen2 chip yet… but my assumption was that they would act and behave just like a real Mifare Classic chip, in that if you screwed up the access bits in the sector trailer, then that sector would be dead… and because gen2 is supposed to be just a normal Mifare Classic chip with a writable sector 0, then there is no “back door” way to fix that dead sector. When it comes to a gen1 chip, I’ve written corrupted data to it through the “front door” (normal write operation) and then overwrite the entire memory contents through the back door, restoring function of that dead sector… but maybe there is a way to screw up writing whatever these BCC bits are that really bricks the tag forever… probably as some kind of bad function of the “magic” routines inside the emulator chip (nothing to do with Mifare).

The first run of xM1 chips were so unstable that it could be functioning correctly and then encounter a reader that just wants to access some sectors and then the whole thing would brick and never come back… just terrible.

4 Likes

So I have a few questions on the M1flex @amal, do you have an estimate on when the M1flex will be listed on the website, what are the dimensions going to be and can you supply a needle for installing? :slightly_smiling_face:
I figured the VivoKey alpha needle might work if the dimensions ain’t to different🙂

No ETA for our antenna parts yet…boo!

Yes same needle for VivoKey Apex Flex… same dimensions as well.

1 Like

Boo Indeed :sweat_smile:
I wanted to get the flex before potentially bricking my xM1+ on a yale doorman lock, but I guess I’ll just have to try, then see how it fairies, still keeping one original tag with me in the beginning to see how it holds up :slightly_smiling_face:

1 Like

@Rosco did some testing on the Yale doorman V2N with a xM1 and it didn’t work :sweat_smile:
You got a prototype M1 Flex gen1 that I could buy @amal? It ould be fun to test it, to see if it’s big enough to trigger the read :slightly_smiling_face:

This was posted 2 weeks ago, so I am not sure of what stock they have remaining, but…

This was his reply 3 days ago

So fingers crossed

1 Like

Thanks for the tip @Pilgrimsmaster I sent a DM, since I guess Amal is quite buissy and might not get to read every post he’s tagged in :slightly_smiling_face:

1 Like