xM1 static nonce

So I cloned a card to the XM1, and now, even after performing “cwipe” - which performs successfully) , I get this message from the proxmark when scanning:

[#] 1 static nounce 01200145
[+] Static nonce: yes

If I try to restore a dump, I get lots of Auth errors.

[#] Cmd Error: 04
[#] Write block error
[+] isOk: 00

However, using mfoc and a Acr122u seems to work

Also, running “hf mf cload xxxxx-dump.eml” (rather than “hf mf restore 1”) seems to work (no errors, but it does not appear to be an identical clone as it doesn’t work at work)

What does “static nonce” even mean? And is there a way to remove it?

Paging @Equipter @Jirvin

In cryptography, a nonce is an arbitrary number that can be used just once in a cryptographic communication. It is similar in spirit to a nonce word, hence the name. It is often a random or pseudo-random number issued in an authentication protocol to ensure that old communications cannot be reused in replay attacks

So a static nonce would be a nonce that can’t be changed.

1 Like

Thanks for the explanation.
What I don’t understand, is how a gen1a card that has been wiped, and only contains FFFFFFFFFFFF as keys, still show a static nounce?

I thought the whole point with gen1a was that they could be fully altered? :roll_eyes:

static nonce just means the PRNG (pseudorandom number generator) is fixed at 01200145 it wont cause any issues for your tag and is just preprogrammed by whoever created the chip, you cant remove it its a hard built feature

1 Like

Thanks for the clarification. I thought it was something that was cloned onto the chip.

Alas that means the work program detects magic cards, if that is the only difference :expressionless:

With work card: all ok

With flexM1: “the chip does not have any appropriate sector for this kind of card”

Grab yourself a Gen2 Test card and try that sucker, there might be a solution for you yet buddy!!!


1 Like

Wife is not gonna cut out the flexM1 (so if a gen2 works, that’d be even worse, - knowing she got the wrong one😜

Anyway, next step is to sniff the reader I guess… - see what it actually tries to do (they authenticate/authorize the card every 24 hours)

1 Like

Worse than not knowing at all???

Raz the people want to know…
Correction, the people NEED to know

Donkey sad


1 Like



Excellent, now I can stop working on my secret project for you…


I approve of that gif :joy:


@RazAquato Have you got your test card and hat a chance to actually test yet?

Still not arrived, I’ll update as soon as it gets here

Edit: arrived!
Will test next week and post the results :slightly_smiling_face: