Making a Physical Mifare 1K UID Clone

January 10, 2019

What you will need:

1. Connect your Proxmark3 to your computer.

2. Launch the Proxmark3 client. If you do not have the Proxmark3 client setup check out our Getting Started Guide.

3. Once connected to the client run the 'hw ver' command. You should see output similar to what is shown below. If the version is not v3.01 your steps and commands may differ from the ones below.

proxmark3> hw ver
Prox/RFID mark3 RFID instrument          
bootrom: master-rysc/v3.0.1 2017-09-21 16:36:44
os: master-rysc/v3.0.1 2017-09-21 16:36:45
LF FPGA image built for 2s30vq100 on 2015/03/06 at 07:38:04
HF FPGA image built for 2s30vq100 on 2017/05/17 at 17:48:26
          
uC: AT91SAM7S512 Rev B          
Embedded Processor: ARM7TDMI          
Nonvolatile Program Memory Size: 512K bytes. Used: 192856 bytes (37). Free: 331432 bytes (63).          
Second Nonvolatile Program Memory Size: None          
Internal SRAM Size: 64K bytes          
Architecture Identifier: AT91SAM7Sxx Series          
Nonvolatile Program Memory Type: Embedded Flash Memory

4. Connect your HF Antenna to your Proxmark3 and run the 'hw tune' command in the client. You should see output similar to the one below.

proxmark3> hw tune

Measuring antenna characteristics, please wait...#db# DownloadFPGA(len: 42096)                 
.....#db# DownloadFPGA(len: 42096)                 
.          
# LF antenna:  0.00 V @   125.00 kHz          
# LF antenna:  0.00 V @   134.00 kHz          
# LF optimal:  0.28 V @   169.01 kHz          
# HF antenna: 13.36 V @    13.56 MHz          
# Your LF antenna is unusable.

5. After confirming that your HF Antenna is functioning correctly place your Mifare 1K tag on the HF Antenna. Now run the 'hf 14a read' command. Note and copy the UID you will need this later. In this example, the UID is 1eae5ae6.

proxmark3> hf 14a read
#db# DownloadFPGA(len: 42096)          
 UID : 1e ae 5a e6           
ATQA : 00 04          
 SAK : 08 [2]          
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1          
proprietary non iso14443-4 card found, RATS not supported          
Answers to chinese magic backdoor commands: NO,

6. Place your Chinese Magic Card 1K on top of your HF Antenna. Run the command "hf mf csetuid 1eae5ae6" replacing the UID with yours.

proxmark3> hf mf csetuid 1eae5ae6
--wipe card:NO  uid:1e ae 5a e6           
old block 0:  e9 6e 1b 10 8c 08 04 00 12 13 14 15 16 17 18 19           
new block 0:  1e ae 5a e6 0c 08 04 00 12 13 14 15 16 17 18 19           
old UID:e9 6e 1b 10           
new UID:1e ae 5a e6 

7. Your UID should now be changed. Check that the command worked correctly by running "hf 14a read" again. Your UID should now match your Mifare 1K card.

proxmark3> hf 14a read
 UID : 1e ae 5a e6           
ATQA : 00 04          
 SAK : 08 [2]          
TYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1          
proprietary non iso14443-4 card found, RATS not supported          
Answers to chinese magic backdoor commands: YES





Also in Blog

ProxmarkPro - How to Save/Load a Tag to SD Card
ProxmarkPro - How to Save/Load a Tag to SD Card

May 21, 2019

This blog post covers the steps of how to save and load a tag using the ProxmarkPro.

View full article →

ProxmarkPro - Using HID Brute
ProxmarkPro - Using HID Brute

May 21, 2019

This blog post covers how to do a brute force attack with a HID tag on the ProxmarkPro. A Brute force attack is done by trying to guess multiple tag UID's similar to a known working tag UID to gain access.

View full article →

ProxmarkPro - Cloning a HID Tag
ProxmarkPro - Cloning a HID Tag

April 02, 2019

This blog post covers the steps to clone a HID tag to a T5577 with a ProxmarkPro.

View full article →

We use cookies to ensure that we give you the best experience on our website. If you continue we'll assume that you are understand this. Learn more
Accept