xM1 gen2 Mifare Classic Implantat

The xM1 is the implant based on Mifare Classic with improved antenna and range. Simply new, simply better.

Wherever the xNT based on Mifare Ultralight in the high-frequency range doesn’t work, the xM1 comes into play. The xM1 is a Mifare "Magic" 1k gen2 chip emulator with a writable sector 0 and "Chinese Magic Backdoor" functionality. This allows you to change the chip’s 4-byte ID (serial number) and overwrite all pages in any sector, including sector 0, regardless of the A / B key values or access bit settings.

What’s so great about the xM1?

Basically, the MF1ICS50 1k chip has been used for years in all kinds of applications as a "secure chip" for everything from access control to stored-value cards, and for local payments within closed systems like public transport and laundry services. Its security mechanism called "crypto1" is a simple, proprietary encryption system with little to do with modern cryptography. It’s been broken for many years, but the sheer number of systems still using it means that the S50 1k chip will be in use by legacy systems around the world for years to come. Now you can break the security on these cards and clone the content (including the non-unique 4-byte ID or NUID "serial number") onto your implant!

The gen2 version supports direct writing to sector 0 using standard write commands, depending on the key and access bit settings. This allows Android phones (sorry iPhone) to change the chip ID or write complete clones including sector 0 to the xM1 on the go, without additional special equipment, provided the keys are set to factory default or you have the correct keys for all sectors.

Compared to the earlier xM1+, the new xM1 has improved HF performance, nearly doubling the typical read range of the original xM1+. We've optimized the antenna tuning and L / C circuit specifications for better power transfer.

Value Kit contents:

• xM1 gen2
• Installation materials
• RFID Diagnostic Card
• xLED

"Single" contents:

• xM1 gen2

Technical Specifications:

• 13.56 MHz ISO14443A Mifare “magic” 1k emulator chip
• Emulates Mifare MF1ICS50 1k chip with “Chinese Magic Backdoor”
• The 4-byte ID and entire sector 0 can be written with CMB commands
• 10-year data retention. Rated for 100,000 write cycles per memory block.
• Encased in 3 x 13 mm Schott bioglass
• Pre-tested and preloaded in a sterile injection assembly
• No “anti-migration” coating allows for easy removal/replacement (biocompatible)

What’s the difference between gen1a and gen2?

Mifare “magic” 1k chips
A “magic” Mifare chip is a special gray-market chip made in China that can emulate the memory structure and functionality of real Mifare Classic chips, but also allows modification of sector 0. This means the serial number and manufacturing data of a Mifare “magic” chip can be changed so that it acts as a perfect clone of a real Mifare S50 1k chip.

“gen1a” or “gen2”?
Basically, gen1a chips are “safer” because you can recover from errors at any time, but you need special hardware or software to change sector 0 (where the serial number resides) or to recover from locked sectors. With gen2 chips, you can easily write to sector 0 using an NFC smartphone app, but if you accidentally lock a sector, you can’t recover it (just like a real “classic” 1k chip from Mifare).

gen1a
The “gen1a” magic Mifare chip requires a special backdoor command that opens all sectors for writing, including sector 0. The advantage is that even if you’ve lost the crypto1 keys for a certain sector marked as protected by access bits, you can still overwrite it after issuing the backdoor command. The downside is that the backdoor command is issued to the chip after it has supposedly entered the halt state, meaning only certain devices can send the backdoor command. Smartphones typically can’t do this because their chips and firmware don’t allow further communication once the chip is halted. Moreover, certain readers—especially in Asia—check for magic chips by sending the backdoor command, and if the chip responds, it shuts down to prevent access by a potentially cloned chip.

gen2
The gen2 magic Mifare chip has no backdoor command. All sectors are simply open for writing. The benefit of the gen2 magic chip is that even NFC-enabled smartphones can issue write commands to any sector, including sector 0—meaning you can use a smartphone app to change the chip ID along with all data in the manufacturing block. In addition, readers looking for magic chips have no reliable way to detect them. The trade-off is that it fully and accurately emulates the real Mifare S50 1k chip. There’s no backdoor. So if one or more sectors are protected via access bit changes, you need valid keys to make further changes. Also, if you set the access bits to lock a sector, there is no way to restore that sector—it will be permanently locked.

How do you change the ID of your Mifare Classic chip?

Writing to sector 0 of a “magic” chip to change its ID depends on which version you have:

gen1a
To change the ID of a gen1a magic chip, you’ll need a Proxmark3 or special software that can send the gen1a backdoor command to the magic chip via a common reader like the ARC122U.

Cloning card data to a “magic” chip
First, make sure your source card or key fob is a 4-byte “Classic” 1k card and not a new 7-byte “Mifare 1k” card. After the discovery of Crypto1 vulnerabilities in the “Classic” Mifare S50 1k and S70 4k chips, NXP (the company that makes Mifare chips) released various updated versions. These include Mifare Plus 1k and a Mifare “Classic” 1k EV1 (evolution one) chip. These new chips have the same memory structure as the real “Classic” 1k chips but use 7-byte UIDs instead of 4-byte IDs. Although there are new attacks on these chips, success is limited, and you won’t be able to fully copy a 7-byte ID number to a gen1a chip, which only supports 4-byte IDs.

The most powerful tool for this is the Proxmark3 – an RFID diagnostic and security research tool that is open-source and comes in many variants, shapes, and sizes. Its flexibility and firmware update support for the latest security tactics and tools make it a great investment for anyone wanting to experiment with RFID. While we don’t offer a guide on using the Proxmark3 to clone Mifare cards to a “magic” chip, there are many other guides that explain the process in detail:

• RyscCorp page on cloning a 4 byte ID to a “Magic” gen1 chip 8
• https://www.gavinjl.me/proxmark-3-cloning-a-mifare-classic-1k 2
• https://scund00r.com/all/rfid/2018/06/05/proxmark-cheatsheet.html 1

If you don’t have a Proxmark3 but have a USB reader like the ACR122U 10, there are a few tools you can use. Here’s an example:

<iframe width="560" height="315" src="https://www.youtube.com/embed/sY4Zjqe5trQ" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe>

or

gen2

You can write to sector 0 of a magic Gen2 chip just like any other sector on a “classic” Mifare S50 1k chip. This means you can even use an NFC smartphone and an app. Totally simple.

Flex implants are highly durable. Here are a few examples:

<iframe width="560" height="315" src="https://www.youtube.com/embed/YP7oC3Jvc5M" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe> 

<iframe width="560" height="315" src="https://www.youtube.com/embed/--Y-YKgO-Kg" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe> 

Proxmark3

By far the most powerful tool for cloning RFID tags is the Proxmark3 – an open-source tool for RFID diagnostics and security research available in many variants, shapes, and sizes. Its flexibility and ability to update firmware to support the latest security tactics and tools make the Proxmark3 an excellent tool. While we don’t offer a guide on using the Proxmark3 to clone Mifare cards to your xM1, there are already numerous other guides explaining how this works in detail:

https://store.ryscc.com/blogs/news/how-to-use-a-chinese-magic-card-with-proxmark3

https://www.gavinjl.me/proxmark-3-cloning-a-mifare-classic-1k/

https://scund00r.com/all/rfid/2018/06/05/proxmark-cheatsheet.html#mifare 

<iframe width="560" height="315" src="https://www.youtube.com/embed/sY4Zjqe5trQ" frameborder="0" allow="accelerometer; autoplay; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe>

 https://why.yuyeye.cc/post/can-uid-be-changed-on-mifare-1k-card/