Aaand… I finally have me an NFC-enabled door lock that works with my implant. Woohoo!
I couldn’t resist: I found the command to lower the lock’s volume, and nevermind the cold: I really wanted to get that thing going. I couldn’t wait for tomorrow.
So, the lock does write to my implant each time I open the door - always the same bytes on the same sector, which bothers the hell out of me. But, well, there really isn’t anything I can do about it if I want a door that I unlocks with my implant. I suppose that sector will go dead in 273 years (=100,000 write) 
As planned, I have real Yale tag #1 cloned into a gen1a magic Chinese card, and real Yale tag #2 cloned into my implant. Both clones work perfectly, but the originals are now off-limit from the lock: normally they should just be rejected, but I don’t want to risk the clones being struck off the list of working tag in the lock’s memory. Real Yale tag #3 is registered with the lock normally, and will be the missus’ key to get into the house.
I also have a full log of the magic Chinese card and my implant (keys and data) in the following states:
1/ Blank (transport configuration)
2/ After cloning (exact clone, byte-to-byte)
3/ After presenting the clone to the lock for registration, but letting the process time out (1st time)
4/ After presenting the clone to the lock for registration, but letting the process time out (2nd time)
5/ After presenting the clone to the lock for registration, completing the registration
6/ After unlocking the door, 1st time
7/ After unlocking the door, 2nd time
8/ After unlocking the door, 3rd time
9/ After unlocking the door, 4th time
10/ After unlocking the door, 5th time
At no point after cloning do the M1k keys change (A nor B, any sector/block). The lock does not rewrite the keys at all, apparently. But interestingly, it does change 3 bytes to in sector 0 / block 2 just by presenting the card for registration, even if the process isn’t carried out all the way:
I’m not sure why it does that. But in theory, it means another lock is able to know that the tag is not entirely “virgin”. What it does with that information, I don’t know.
Once the tag is registered, the lock writes to sector 2 / block 1 (first and only registered lock, out of 6 possible registered locks for a given tag) each time the tag is presented and the lock opens. But again interestingly, at the very first opening, the lock also writes again to sector 0 / block 2:
I assume it’s some sort of flag set by the lock to know the working sector / block has been written to after the first opening, so it rotates the keys - or whatever it does - in there instead of resetting it to the same value over and over as if it was the first opening each time the tag is presented. But I don’t think it needs that to properly “follow” a tag’s encrypted sequence in sector 2 / block 1. So maybe not.
I’ll goof around some more with it when I have time. But at least right now I finally have a friggin’ NFC lock on my door, and that’s something. At long last!
Finally, a thought occurred to me: maybe Iceman’s hacking effort isn’t terribly useful after all: if his ultimate goal is to be able to create cheap-ass tags that work with Doorman locks instead of getting ripped off by Yale for genuine tags, the only thing a lock owner needs is a dump of a genuine, unused tag that hasn’t been registered with their lock yet. Since those things aren’t connected, even if one million locks around the world share the same tag, neither the locks nor Yale would able to know that.
And it’s perfectly secure too: even if my neighbor had a Doorman lock and used a cloned tag based on one of mine, as soon as it’s registered with his lock and one of us uses their tag at least once more than the other, his tag couldn’t be used with my lock, nor mine with his.
So, if a few of us posted, say, a dozen unused Yale tag dumps, each and every Doorman owner in the world could create a dozen cheap tags for themselves with that pool of dumps.
Ergo, no need for hacking. Unless of course the hacking effort is for its own sake - for the beauty of it - which is a perfectly valid justification also